A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday and was followed by this NIST entry on December 14th. The vulnerability is found in the Log4j Java library.
Log4j is a popular open-source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.
Versata BRMS applications may have CVE-2021-4104 if publicly accessible, which is related to the Log4Shell vulnerability.
In order to find out if your BRMS application is impacted by this, please search for *log4j.xml files on your server, and if they have JMS Appender enabled, IgniteTech can work with you on securing your BRMS application.
Here is an example JMS Appender configuration:
<appender name="JMS" class="org.apache.log4j.net.JMSAppender">
<errorHandler class="X"/>
<param name="Y" value="Z"/>
</appender>
In that case, we recommend you make it accessible internally only until the issue is resolved completely.
Additional information, when available, will also be posted on this page.