A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.
Zabbix is aware of this vulnerability, has completed verification, and can conclude that the only product where we use Java is Zabbix Java Gateway, which does not utilize the log4j library, thereby is not impacted by this vulnerability.
For customers, who use the log4j library with other Java applications, here are some proactive measures, which they can take to reduce the risk posed by CVE-2021-44228:
- Upgrade to Apache log4j-2.1.50.rc2, as all prior 2.x versions are vulnerable.
- For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries.
- Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121.
Thank you for confirming your product is not affected by this.
Thanks!
Hmmmm…are you sure about this statement?
srczabbix_javasrccomzabbixgatewayBinaryProtocolSpeaker.java
import org.slf4j.Logger;
Templator/src/main/resources/org/zabbix/template/generator/objects/globals.drl
import org.apache.logging.log4j.Marker;
global org.apache.logging.log4j.core.Logger logger;
global String lang;
global Marker marker;
See this link to see more on slf4j
http://slf4j.org/log4shell.html
SLF4J is explained in your link. And Templator (zabbix-template-generator) is just an old external tool, Not included in Zabbix Package.
Hi all! And about apache service that Zabbix uses (standard instalation indicated on zabbix portal)?