Apache Log4j 2: Perfecto Update

On December 9, 2021, Apache published the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions prior to 2.15.0: 

“CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.” 

Perfecto Is Clear and Not Affected by the Log4j Vulnerability  

The Perfecto environment was investigated, and it was found that some backend subsystems included the Log4j module and thus were potentially vulnerable to the issue. 

Our team  addressed this vulnerability, and after thorough testing was performed, we verified that the fixes were successful. 

Latest Development (12/15/2021) 

We are aware of a newly identified vulnerability: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. Our engineering and product teams are aware of this vulnerability. 

We have taken additional steps to ensure that our infrastructure and centralized IT services are remediated. Perfecto is not currently vulnerable, and no customer action is needed at this time. 

Our Recommendation  

Although Perfecto is clear, we advise you to check with your third-party vendors to determine your exposure to  other applications and services that you use. If the Log4j library is used, it is strongly suggested that you upgrade to version 2.16 of Log4j to be safe. 

If any additional patches or updates are necessary, we will include that information on the Perforce Log4j status page. 

For the official Perforce response and latest details, please visit Perforce.com.  

Free Trial 

Demo Perfecto