Skip to main content
Skip table of contents

Is Mend Vulnerable to the log4j JNDI vulnerability CVE-2021-44228?

On Friday, December 10, 2021, the NVD released a Security Vulnerability under the ID: CVE-2021-44228. This CVE description is as follows:

Current Description

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

What specific libraries are vulnerable?

What is vulnerable: Log4j-core versions 2.0.0 - 2.15.0

What is not vulnerable: Log4j versions <= 1.2.17, Log4j-api, and Log4j-core versions 2.16.0^

Are Mend offerings vulnerable?

  1. Unified Agent - The Mend Unified Agent is not vulnerable to log4j at this current time. You are free to use it as needed!

  2. Essentials - The Mend Essentials offering is not vulnerable and safe to use.

  3. Prioritize - The Mend Prioritize offering is not vulnerable and safe to use.

  4. Mend Core - Mend Core is not vulnerable and safe to use.

  5. Artifactory Plugin - The Mend Artifactory Plugin is not vulnerable and safe to use.

  6. Bolt 4 Azure Server - The Mend Bolt 4 Azure Server offering is not vulnerable and safe to use.

  7. AMP Server - The Mend AMP Server is not vulnerable and safe to use.

  8. Mend Plugins - All Mend scanning plugins including Jira Cloud and Server are not vulnerable and safe to use.

  9. WS CLI - The Mend CLI is not vulnerable and safe to use.

  10. Mend Diffend - Mend Diffend is not vulnerable and safe to use.

  11. Mend UI and Dedicated Instances - The Mend UI and all dedicated instances are not vulnerable and therefore safe to use.

  12. IDE Plugins - Our IDE plugins (such as “Advise for <IDE>”) are not vulnerable and safe to use.

  13. Developer Integrations - None of our SCM integrations (hosted and self-hosted) are vulnerable

  14. Dockerized On-Premise Environment - Our Dockerized On-Premise Environment is not vulnerable.

Frequently Asked Questions

Q: What is Mend’s recommended action to fix CVE-2021-44228 for my own products?

A: Please reference the Mend Vulnerability Database for the latest up-to-date information on how to fix the vulnerability: CVE-2021-44228

Q: Do I need to rescan my projects to detect this vulnerability?

A: No, Mend keeps an up to date list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability after being added to our index.

Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?

A: If you have policies set up on your organization, then Mend will automatically notify you in the case that you are affected by this vulnerability. If you did not have that set up, then you can look in the alerts report for the CVE.

Q: How can Mend automatically mitigate this vulnerability for me?

A: Mend’s tool, Remediate, can be used to automatically remediate vulnerabilities such as this one from a pom.xml, build.gradle or another package manager manifest file. You can learn more about Remediate here: Mend Remediate

Q: How can I tell if this vulnerability is in one of my transitive dependencies?

A: Our inventory report, vulnerability report, and alerts report all will give key information into retrieving all of the necessary information that you will need to determine your next steps in mitigating this vulnerability. To retrieve this report, you can either use the UI, or our Reports API (Synchronous).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.