Status of Spambrella Products with CVE-2021-44228

DESCRIPTION

A critical remote code execution vulnerability affecting the popular Java logging package log4j2, CVE-2021-44228, was published on December 10, 2021. The vulnerability is also referred to as Log4Shell. The following article indicates whether the vulnerability applies to specific Spambrella products through processor Proofpoint. For information relating to our ongoing investigation into Log4Shell, see this article.

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organization, as well as numerous cloud services.

The Log4j 2 library is frequently used in enterprise Java software and is included in Apache frameworks including:

  • Apache Struts2
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • Apache Swift

Other large projects Including NettyMyBatis and the Spring Framework also make use of the library.

An application is vulnerable if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library.

Product Status

Spambrella Email Security – Not Impacted.
Spambrella Email Archive – Impacted, remediation implemented.
Proofpoint Security Awareness Training – Not Impacted.

Status Descriptions:

Impacted, remediation implemented = Spambrella service used a version of the Log4j software identified as vulnerable in CVE-2020-44228 and Proofpoint has implemented the open-source project’s recommended mitigation.

Not Impacted =  Spambrella service does not use a Log4j version vulnerable to CVE-2020-44228

Further Reading:

NIST – https://nvd.nist.gov/vuln/detail/CVE-2021-44228

National Cyber Security Center – https://www.ncsc.gov.uk/news/apache-log4j-vulnerability