A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.

Zabbix is aware of this vulnerability, has completed verification, and can conclude that the only product where we use Java is Zabbix Java Gateway, which does not utilize the log4j library, thereby is not impacted by this vulnerability.

For customers, who use the log4j library with other Java applications, here are some proactive measures, which they can take to reduce the risk posed by CVE-2021-44228:

  • Upgrade to Apache log4j-2.1.50.rc2, as all prior 2.x versions are vulnerable.
  • For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries.
  • Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121.
Subscribe
Notify of
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Zachariah DeGraaf
Zachariah DeGraaf
9 months ago

Thank you for confirming your product is not affected by this.

Daniel Franco Cardoso
Daniel Franco Cardoso
9 months ago

Thanks!

Ted
Ted
9 months ago

Hmmmm…are you sure about this statement?

srczabbix_javasrccomzabbixgatewayBinaryProtocolSpeaker.java
import org.slf4j.Logger;

Templator/src/main/resources/org/zabbix/template/generator/objects/globals.drl
import org.apache.logging.log4j.Marker;
global org.apache.logging.log4j.core.Logger logger;
global String lang;
global Marker marker;

See this link to see more on slf4j
http://slf4j.org/log4shell.html

KJ
KJ
9 months ago
Reply to  Ted

SLF4J is explained in your link. And Templator (zabbix-template-generator) is just an old external tool, Not included in Zabbix Package.

Wesley de Paula Oliveira
Wesley de Paula Oliveira
9 months ago

Hi all! And about apache service that Zabbix uses (standard instalation indicated on zabbix portal)?

5
0
Would love your thoughts, please comment.x
()
x