Is Mend Vulnerable to the log4j JNDI vulnerability CVE-2021-45046?

On December 14, 2021, the NVD released a Security Vulnerability under the ID: CVE-2021-45046. This CVE description is as follows:

Current Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

What specific libraries are vulnerable?

What is vulnerable: Log4j-core versions 2.0-beta9 to 2.15.0 for Java 8, excluding 2.12.2 if you are running Java7

What is not vulnerable: Log4j-core version 2.16.0^

Are Mend offerings vulnerable?

1. Unified Agent - The Mend Unified Agent is not vulnerable to CVE-2021-45046 at this current time. You are free to use it as needed!

2. Essentials - The Mend Essentials offering is not vulnerable and safe to use.

3. Prioritize - The Mend Prioritize offering is not vulnerable and safe to use.

4. Mend Core - Mend Core is not vulnerable and safe to use.

5. Artifactory Plugin - The Mend Artifactory Plugin is not vulnerable and safe to use.

6. Bolt 4 Azure Server - The Mend Bolt 4 Azure Server offering is not vulnerable and safe to use.

7. AMP Server - The Mend AMP Server is not vulnerable and safe to use.

8. Mend Plugins - All Mend scanning plugins including Jira Cloud and Server are not vulnerable and safe to use.

9. WS CLI - The Mend CLI is not vulnerable and safe to use.

10. Mend Diffend - Mend Diffend is not vulnerable and safe to use.

11. Mend UI and Dedicated Instances - The Mend UI and all dedicated instances are not vulnerable and therefore safe to use.

12. IDE Plugins - Our IDE plugins (such as “Advise for <IDE>”) are not vulnerable and safe to use.

13. Developer Integrations - None of our SCM integrations (hosted and self-hosted) are vulnerable

14. Dockerized On-Premise Environment - Our Dockerized On-Premise Environment is not vulnerable.

Frequently Asked Questions

Q: What is Mend’s recommended action to fix CVE-2021-45046 for my own products?

A: Please reference the Mend Vulnerability Database for the latest up-to-date information on how to fix the vulnerability: CVE-2021-45046.

Q: Do I need to rescan my projects to detect this vulnerability?

A: No, Mend keeps an up to date list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability after being added to our index.

Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?

A: If you have policies set up on your organization, then Mend will automatically notify you in the case that you are affected by this vulnerability. If you did not have that set up, then you can look in the alerts report for the CVE.

Q: How can Mend automatically mitigate this vulnerability for me?

A: Mend’s tool, Remediate, can be used to automatically remediate vulnerabilities such as this one from a pom.xml, build.gradle or another package manager manifest file. You can learn more about Remediate here: Mend Remediate and Renovate

Q: How can I tell if this vulnerability is in one of my transitive dependencies?

A: Our inventory report, vulnerability report, and alerts report all will give key information into retrieving all of the necessary information that you will need to determine your next steps in mitigating this vulnerability. To retrieve this report, you can either use the UI, or our Reports API - Synchronous .