Cybersecurity Information Briefing: CVE-2021-44228 (Log4j 2, Log4Shell)

This Intercax Cybersecurity Information Briefing is shared with the Intercax community to inform the community of Intercax’s awareness of and handling of cybersecurity events which are of keen interest to Intercax’s customers.

Intercax’s Cybersecurity Team publishes this cybersecurity information briefing on:

• Common Vulnerability Enumeration CVE-2021-44228

• a Remote Code Execution vulnerability

• Commonly known as “Log4Shell”

• that is undergoing active exploits that are observed in industry-wide use of Apache Log4j 2

Intercax’s Statement on its Products

• Syndeia Cloud v3.4 (and earlier) does not use Apache log4j 2. Two (2) services in Syndeia Cloud use log4j 1.2.17, which is not affected by CVE-2021-44228.

• Syndeia Plugins for SysML modeling tools (MagicDraw and Rhapsody), and Syndeia Standalone do not use log4j 2. They use log4j 1.2.17, which is not affected by CVE-2021-44228.

Intercax’s Statement on its Dependent Services:

Syndeia Cloud uses the following four infrastructure components.

• Apache Cassandra 3.11.10 (persistent store)

  • Not impacted. Cassandra switched to logback in Cassandra 2.1. It does not use log4j (any version).

  • Verified by reference to Cassandra’s changelog, Snyk scans of Cassandra source code, and scanning for log4j in Cassandra Docker container and installation.

• Apache Kafka 1.1.0 (message broker)

  • Not impacted. Kafka 1.1.0 is using log4j 1.2.17 which is not affected by CVE-2021-44228.

  • Verified by reference to Apache Kafka’s 1.1.0 gradle.properties file (https://github.com/apache/kafka/blob/1.1.0/gradle/dependencies.gradle)

  • Verified by in-house Snyk scans of the Kafka 1.1.0 source code and scanning for log4j in Kafka installation.

• Apache Zookeeper 3.4.8 (discovery service)

  • Not impacted. Zookeeper 3.4.8 is using log4j 1.2.16, which is not affected by CVE-2021-44228.

  • Verified by checking the log4j entry in ivy.xml dependency file (https://github.com/apache/zookeeper/blob/release-3.4.8/ivy.xml)

  • Verified by scanning Zookeeper installation

• Apache JanusGraph 0.3.1 (typed property graph)

  • Not impacted for the Syndeia Cloud configuration, as documented in Syndeia Cloud installation. This configuration uses log4j 1.2.16 which is not affected by CVE-2021-44228.

  • Verified by in-house scans of the JanusGraph source code and Docker container

For additional information on Intercax’s investigation of this cybersecurity event, please open a support request on our helpdesk.