View all web browser and mobile devices available in our cloud-based test lab.
On December 9, 2021, Apache published the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions prior to 2.15.0:
“CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.”
The Perfecto environment was investigated, and it was found that some backend subsystems included the Log4j module and thus were potentially vulnerable to the issue.
Our team addressed this vulnerability, and after thorough testing was performed, we verified that the fixes were successful.
We are aware of a newly identified vulnerability: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. Our engineering and product teams are aware of this vulnerability.
We have taken additional steps to ensure that our infrastructure and centralized IT services are remediated. Perfecto is not currently vulnerable, and no customer action is needed at this time.
Although Perfecto is clear, we advise you to check with your third-party vendors to determine your exposure to other applications and services that you use. If the Log4j library is used, it is strongly suggested that you upgrade to version 2.16 of Log4j to be safe.
If any additional patches or updates are necessary, we will include that information on the Perforce Log4j status page.
For the official Perforce response and latest details, please visit Perforce.com.