JDisc Discovery and Log4j – CVE-2021-44228
Dear JDisc users,
I am pretty sure that you are aware of the log4j security issue CVE-2021-44228. JDisc Discovery is mainly written in Java and we have investigated whether we are affected. One external library (yavijava – a library to access VMware ESX and VSphere servers) uses log4j in version 1.2.17.
We have investigated the information and we found out that log4j 1.2.x is also affected, but only with a special configuration. The JMSAppender must be configured in order to have a similar vulnerability like is CVE-2021-44228. JDisc Discovery is not using the JMSAppender and therefore, we conclude that JDisc Discovery is not affected even though yavijava uses log4j 1.2.
However, we decided to remove the affected log4j library completely and replace it with the SLF4J framework. Starting with build 5092 released on Dec. 14th, we have removed the usage of the affected log4j component completely from our project!
Cheers,
Thomas