CVE-2021-44228 and Genuitec

Tim Webb

December 14, 2021

Initial Analysis of CVE-2021-44228

A vulnerability in Apache Log4j2 was recently announced. To learn more about this vulnerability, visit the NIST National Vulnerability Database.

For transparency, Genuitec has conducted an audit over our server infrastructure, both with regards to our own internal infrastructure as well as our products that include server components, including CodeTogether and Secure Delivery Center. In all instances, we do not have usage of log4j2 on our servers.

Our methodology to confirm this involved both manual review of components and dependencies, as well as automated scans using tools that are designed to search within bundles, not solely exposed at the native file-system level.

For our Desktop software, in our CodeTogether plugins, we do not use log4j2 for any purpose nor is it included with our software. For MyEclipse, there is no usage of log4j2 in standard operations across all components of MyEclipse. See update below for clarification of the single presence of log4j2 and why it does not pose an elevated risk. For transparency, there are plugins for Eclipse-based IDEs that do optionally depend on the log4j2 and can be installed on top of MyEclipse via update site or alongside CodeTogether.

For more details on Eclipse IDE vulnerabilities:
https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)

Update 12/17/21

MyEclipse

During analysis, there is a single presence of log4j2 in an embedded plugin in MyEclipse, specifically used as part of a client to OpenShift. This client is brought in as part of a transitive dependency, though it does not specifically use log4j2 in MyEclipse normal usage. This log4shell instance is only used if you explicitly turn on tracing options for the org.jboss.tools.openshift.client plugin and are also using the OpenShift client. In addition, as it is not logging data from untrusted sources, there appears no detected vulnerability at this time, even if you had explicitly turned on logging.

If you are concerned, we suggest running the following tool which can remove the offending JndiLookup class without impacting any functionality.

java -jar logpresso-log4j2-scan-2.1.2.jar --fix "[me-install-dir]"

CodeTogether Container for On-Premises Installations

Log4j2 is present in jvb.jar, which is part of the Jitsi Videobridge – it is not used at runtime.

A write-up regarding Jitsi and CVE_2021-44228 can be found here:
https://community.jitsi.org/t/cve-2021-44228-and-jitsi-components/108844

Specifically, we do not enable callstats for various reasons, one being as it would expose behavior of A/V calls outside of your network.

To avoid confusion from false positive scans, we will be upgrading the component of JVB officially in our next CodeTogether 5.1 release, expected at the start of January.

You may also like . . .

CodeTogether 5.0.1—FIXES, Fixes, fixes

CodeTogether 5.0.1—FIXES, Fixes, fixes

CodeTogether 5.0.1 is a massive maintenance release centered on the most common activity in sessions—actively coding together. As promised, we’ve made dozens of fixes and improvements to core areas like simultaneous typing and content assist to give you a more robust...

CodeTogether 5 with Audio & Video

CodeTogether 5 with Audio & Video

In CodeTogether 5, you get audio, video and screen sharing capabilities at the mere flick of a switch—a seamless extension of your ongoing session. We’ve also made several fixes to core coding functionality, in areas like code synchronization, indentation and quick...

CodeTogether 5 with Audio & Video—Sneak Peek

CodeTogether 5 with Audio & Video—Sneak Peek

Audio and video calling, text chat and screen sharing—these ultra cool features are coming to your IDE in CodeTogether 5. The release is just a couple of weeks away, but we couldn't wait any longer to tell you about the extensive communication features coming your...