Status of Spambrella Products with CVE-2021-44228
A critical remote code execution vulnerability affecting the popular Java logging package log4j2, CVE-2021-44228, was published on December 10, 2021. The vulnerability is also referred to as Log4Shell. The following article indicates whether the vulnerability applies to specific Spambrella products through processor Proofpoint. For information relating to our ongoing investigation into Log4Shell, see this article.
Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.
The Log4j 2 library is frequently used in enterprise Java software and is included in Apache frameworks including:
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
- Apache Swift
Other large projects Including Netty, MyBatis and the Spring Framework also make use of the library.
An application is vulnerable if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library.
Spambrella Email Security – Not Impacted.
Spambrella Email Archive – Impacted, remediation implemented.
Proofpoint Security Awareness Training – Not Impacted.
Impacted, remediation implemented = Spambrella service used a version of the Log4j software identified as vulnerable in CVE-2020-44228 and Proofpoint has implemented the open-source project’s recommended mitigation.
Not Impacted = Spambrella service does not use a Log4j version vulnerable to CVE-2020-44228
National Cyber Security Center – https://www.ncsc.gov.uk/news/apache-log4j-vulnerability