Skip to content
logo logoSelf Service
Sign In Sign Up
  • Home
  • Knowledgebase
Back

Innovative's incident response to CVE-2021-44228 Log4Shell: RCE 0-day Exploit

Updated 12/20/2021 07:12:04 PM by jennifer.pelton@iii.com
  • PDF
  • Print
  • Copy To Clipboard
  • Collapse All Expand All

Answer

12/11/2021:

CVE-2021-44228

On Friday US morning time, December 10, 2021, we learned of CVE-2021-44228 Log4Shell: RCE 0-day Exploit and initiated our incident response and vulnerability management teams to assess. After thorough assessments and testing, we have determined that Innovative systems were largely unaffected. The handful of systems impacted were remediated immediately (within 24 hours) after discovery. The Vega platform was addressed within the first hour. The few Sierra SAML systems have been addressed and the impacted Sierra customers are being notified. We will monitor this vulnerability using our scanning and intrusion detection tools. We are continuously monitoring our Cloud systems in order to watch for any potential impact on systems and services. Any future updates will be posted here.


**************************************************************************

Updated 12/20/2021:

In the last 10 days, there have been 4 total log4j vulnerabilities (including the aforementioned CVE above) identified, and we at Innovative have done our due diligence and proper analysis to determine the impact of these new vulnerabilities on our applications. You may find the updates below:


CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. The engineering and security teams at Innovative have assessed our usage of log4j and determined that the current configurations of log4j are not affected by this vulnerability. Innovative development teams will continue to monitor for new log4j vulnerabilities.


CVE-2021-45105: The engineering and security teams at Innovative have assessed our usage of log4j and determined that application-defined configurations did not use a non-default Pattern Layout or expose control of the logging configuration to potential attackers. Innovative development teams will continue to monitor for new log4j vulnerabilities.


CVE-2021-4104: The engineering and security teams at Innovative have assessed our usage of log4j 1.2 to determine that all instances do not use the JMSAppender class, and therefore aren’t affected by Vulnerability CVE-2021-4104. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. 

Related Solutions

  • Crawlers on Sierra Systems
Solution ID
211211170729667
Last Modified Date
12/20/2021 07:12:04 PM
Taxonomy
  • Solutions > Systems
  • Solutions > Online Help
Collections
  • Encore
  • General Announcements
  • INNReach
  • Millennium
  • Polaris
  • Sierra
  • SkyRiver
  • Vega
  • Virtua
  • Vital

Solution to Copy:

Copy to Clipboard

Failed to download PDF file.

Problem creating pdf file for the solution: 211211170729667
Close

Acknowledged.

Thank you for acknowledging that you have read and understood this solution.

Failure.

Unable to acknowlege. An error occurred.
Knowledge
  • Knowledgebase
Helpful Links
  • Innovative Homepage
  • Innovative Users Group
Upland RightAnswers | Self Service - 2024R2
© Sun May 11 11:15:55 EDT 2025 Upland Software, Inc. All Rights Reserved