Skip to main content
Skip table of contents

Is Mend Vulnerable to Log4j DoS Vulnerability CVE-2021-45105?

On December 18, 2021 the NVD released a Security Vulnerability under the ID: CVE-2021-45105. This CVE descriptions is as follows:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

What specific libraries are vulnerable?

What is vulnerable: Apache Log4j-core versions 2.0-alpha1 - 2.16.0. Not including version 2.12.3.

What is not vulnerable: Apache Log4j-core versions 2.12.3 and 2.17.0^.

Are Mend offerings vulnerable?

  1. Unified Agent - The Mend Unified Agent is not vulnerable to log4j at this current time. You are free to use it as needed!

  2. Essentials - The Mend Essentials offering is not vulnerable and safe to use.

  3. Prioritize - The Mend Prioritize offering is not vulnerable and safe to use.

  4. Mend Core - Mend Core is not vulnerable and safe to use.

  5. Artifactory Plugin - The Mend Artifactory Plugin is not vulnerable and safe to use.

  6. Bolt 4 Azure Server - The Mend Bolt 4 Azure Server offering is not vulnerable and safe to use.

  7. AMP Server - The Mend AMP Server is not vulnerable and safe to use.

  8. Mend Plugins - All Mend scanning plugins including Jira Cloud and Server are not vulnerable and safe to use.

  9. WS CLI - The Mend CLI is not vulnerable and safe to use.

  10. Mend Diffend - Mend Diffend is not vulnerable and safe to use.

  11. Mend UI and Dedicated Instances - The Mend UI and all dedicated instances are not vulnerable and therefore safe to use.

  12. IDE Plugins - Our IDE plugins (such as “Advise for <IDE>”) are not vulnerable and safe to use.

  13. Developer Integrations - None of our SCM integrations (hosted and self-hosted) are vulnerable.

Frequently Asked Questions

Q: What is Mend’s recommended action to fix CVE-2021-45105 for my own products?

A: Please reference the Mend Vulnerability Database for the latest up-to-date information on how to fix the vulnerability: CVE-2021-45105.

Q: Do I need to rescan my projects to detect this vulnerability?

A: No, Mend keeps an up to date list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability after being added to our index.

Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?

A: If you have policies set up on your organization, then Mend will automatically notify you in the case that you are affected by this vulnerability. If you did not have that set up, then you can look in the alerts report for the CVE.

Q: How can Mend automatically mitigate this vulnerability for me?

A: Mend’s tool, Remediate, can be used to automatically remediate vulnerabilities such as this one from a pom.xml, build.gradle or another package manager manifest file. You can learn more about Remediate here: Mend Remediate and Renovate

Q: How can I tell if this vulnerability is in one of my transitive dependencies?

A: Our inventory report, vulnerability report, and alerts report all will give key information into retrieving all of the necessary information that you will need to determine your next steps in mitigating this vulnerability. To retrieve this report, you can either use the UI, or our Reports API - Synchronous .

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close