Log4j
While eFORMz uses utilities from Apache Foundation, eFORMz does not deliver the components used in this exploit.
To satisfy the call requirements for logging we ship slf4j (Simple Logging Façade for Java) and that points to no-op (slf4j-nop) rather than log4j.
The shipped version of slf4j should be 1.7.25 (https://www.cvedetails.com/version/267529/Slf4j-Slf4j-1.7.25.html)
First Steps
- To ensure our product is safe on your system, please verify that none of the offending files “
log4j-core-*.jar
” have been installed. - The CVE noted option of disabling msg lookups will not adversely affect eFORMz. Add
-Dlog4j2.formatMsgNoLookups=true
to the startup. Call for assistance. This should not have any affect on eFORMz as there is no current use for logging through this facility.
Next Steps
- If you do not use the web services built into eFORMz, ensure they are disabled.
- If you do use the web services, ensure your firewall rules are valid and that the authentication used is appropriate.
Reference: