Are Atea Applications Vulnerable to the Log4j RCE (cve-2021-44228)
The Atea Applications are not using the log4j library for logging and are therefore not susceptible to the Log4j RCE (CVE-2021-44228).
You may find files like these if you scan our server:
| File | Link | Explanation |
|---|---|---|
| log4j-1.x.x.jar | link | This is log4j-version1, which is not vulnerable, this library however is not used for logging but included in the build due to legacy exported dependencies |
| log4j-api-2.x.x.jar | link link2 |
This is an log4j-version2 api lib included by spring-bootstrap, which cannot be exploited on it's own without adding log4j-core-2 AND log using log4j, which the Atea applications don't use |