The version of log4j (1.2.17, also referred to as log4j1) used in the Kaazing Gateway/KWIC is not affected by the vulnerability in CVE-2021-44228. As stated by Apache here, "Log4j 1.x is not impacted by this vulnerability".
Official statements from Microsoft and Amazon regarding their use of log4j1:
- Microsoft: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/, "Systems running on Log4j 1.x are not impacted by these vulnerabilities."
- Amazon: Amazon is using log4j version 1.2.17 for Amazon Kafka in their MSK product, which they have stated here https://aws.amazon.com/security/security-bulletins/AWS-2021-006/, "Please note that the builds of Apache Kafka and Apache Zookeeper offered in MSK currently use log4j 1.2.17, which is not affected by this issue."
The use of log4j 1.2.17 in Kaazing Gateway/KWIC is not impacted by CVE-2021-44228. We have no current plans to upgrade from log4j1 to log4j2.
Prior CVE's for log4j1 and our official responses:
CVE-2021-4104 (Published 12/14/2021) - https://www.cvedetails.com/cve/CVE-2021-4104/
At the time of publication, we reviewed the CVE and found that this issue only affects the applications that use the JMSAppender class. The Gateway does not use the JMSAppender class, thus the Gateway is unaffected by this CVE.
CVE-2019-17571 (Published 12/20/2019) - https://www.cvedetails.com/cve/CVE-2019-17571/
At the time of publication, we reviewed the CVE and found that this issue only affects the applications that use the SocketServer class. The Gateway does not use the SocketServer class, thus the Gateway is unaffected by this CVE.