Information Posted 15 December 2021
The vulnerability (CVE-2021-44228) in the Apache Log4j2 package was publicly disclosed on December 9 and enables remote code execution and access to servers. Soon after the Apache Foundation released a new version of log4j, an additional new vulnerability (CVE 2021-45046) was discovered. The Apache Foundation was quick to release a fix for that vulnerability as well.
IRI Workbench, and the Gulfstream and Sandkey SDKs, use version 1 of log4j (specifically 1.2.15) which predates support for message lookups, which are the target of the exploit. That means that these and all other IRI deliverables (except the DarkShield API as described below) are not affected by the recently discovered exploit, and there is no need to update them because of it.
The DarkShield API (but not the DarkShield GUI in IRI Workbench) however does use log4j2 and IRI has already patched and notified affected customers. In fact, right when the news broke (on Friday, 10 December) and out of an abundance of caution, IRI updated the DarkShield SDK (to internal version 1.3.2) which uses log4j2 version 2.15 instead, addressing the zero day exploit, even though the actual risk to DarkShield API users was low to begin with due to the way it is accessed and interacts with logging.
IRI also offers an additional upgrade for log4j version 2.16, now, too. If you are a DarkShield API user and did not receive our notice or patch yet, please contact email@example.com to obtain the aforementioned upgrade.