Security Bulletin: Apache Log4j2 (CVE-2021-44228)

Updated: Tuesday, December 15, 2021

INT is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility, and we are monitoring this issue and working to assess the impact, if any, it may have on our products or customers.

Impact on INT Software

GeoToolkit

GeoToolkit is NOT affected by this vulnerability.
 

INTGeoServer (used by INTViewer, IVAAP, and HTML5Viewer)

INTGeoServer is NOT affected by this vulnerability.
 

INTViewer

INTViewer and plugins developed by INT are NOT affected by this vulnerability.
 
However, clients who have developed their own INTViewer plugin are advised to check for any issues with Log4j. There is one INT plugin, the SEGD plugin, that uses an older, unaffected version of Log4j (1.2.17). Only version 2.x (specifically, versions greater than 2.0-beta9 and lower than 2.14.1) of Log4j are affected by this vulnerability. The known vulnerability (CVE-2021-4104) for Log4j version 1.x doesn’t affect INTViewer because JMSAppender is not used.
 

IVAAP

The IVAAP data backend is NOT affected by this vulnerability.

The nodes of the IVAAP Data Backend do not use Log4j. It is included in the deployment conf/log4j.properties file, but this is a convenience configuration file in case customers add components that use Log4J. There is no matching Log4j jar deployed by default in the nodes themselves.

However, IVAAP does use ActiveMQ, which uses an older, unaffected version of Log4j (1.2.17). Only version 2.x (specifically, versions greater than 2.0-beta9 and lower than 2.14.1) of Log4j are affected by this vulnerability. The known vulnerability (CVE-2021-4104) for Log4j version 1.x doesn’t affect IVAAP because JMSAppender is not used.

If you have any questions, please feel free to contact us at support@int.com.