Last Updated

03 Jan 2022

Peer Software has been monitoring the news around the recently published remote code execution vulnerability that involves the Apache Log4j v2 library (CVE-2021-44228).

This vulnerability does not affect any of our products.  More details can be found below.

Product/ToolVersion(s)StatusDescription
Peer Global File ServiceAllNot impactedPeerGFS does not use Log4j v2, nor does it use Log4j's JMSAppender (noted in CVE-2021-4104) or SocketServer (noted in CVE-2019-17571).
PeerLinkAllNot impactedPeerLink does not use Log4j v2, nor does it use Log4j's JMSAppender (noted in CVE-2021-4104) or SocketServer (noted in CVE-2019-17571).
PeerSyncAllNot impactedPeerSync does not use Log4j in any capacity.
PeerLockAllNot impactedPeerLock does not use Log4j in any capacity.
File System AnalyzerAllNot impactedFile System Analyzer does not use Log4j in any capacity.
File Activity AnalyzerAllNot impactedFile Activity Analyzer does not use Log4j in any capacity.
Health CheckerAllNot impactedHealth Checker does not use Log4j in any capacity.

Some additional notes on this and related vulnerabilities:

  • We have seen some scanners that label the Log4j library used in PeerGFS and PeerLink as being impacted by this vulnerability.

    On closer investigation, it appears that some scanners are simply looking for any version of Log4j that is less than 2.15.0. Based on research and feedback from the Log4j development team, this particular vulnerability only impacts Log4j v2. It does not apply to Log4j v1 and as such, does not apply to PeerGFS and PeerLink.
  • Some scanners may pick up on a pair of Log4j v2 libraries that are bundled with the new Peer Management API service in PeerGFS v4.6 and above. Log4j v2 provides a logging API in addition to a core logging engine. The core logging engine library is the one impacted by this vulnerability. The libraries bundled with PeerGFS (log4j-api-2.x and log4j-to-slf4j-2.x) are tied to the Log4j v2 API only, not to the core logging engine. As such, this vulnerability does not apply to the Peer Management API service and PeerGFS.
  • There is a similar CVE (CVE-2021-4104) now posted for Log4j v1's JMSAppender functionality. As shown in the table above, PeerGFS and PeerLink do not use this JMSAppender functionality and as such, this related vulnerability does not apply.
  • Log4j v1 does have a critical vulnerability in it (CVE-2019-17571). However, as shown in the table above, PeerGFS and PeerLink do not use this SocketServer functionality and as such, this vulnerability does not apply.
  • A related vulnerability has been reported for Log4j v2.15.0 (CVE-2021-45046). As shown in the table above, PeerGFS and PeerLink do not use Log4j v2 and as such, this related vulnerability does not apply.
  • A related vulnerability has been reported for Log4j v2.16.0 (CVE-2021-45105). As shown in the table above, PeerGFS and PeerLink do not use Log4j v2 and as such, this related vulnerability does not apply.
  • A related vulnerability has been reported for Log4j v2.17.0 (CVE-2021-44832). As shown in the table above, PeerGFS and PeerLink do not use Log4j v2 and as such, this related vulnerability does not apply.

If you have additional questions, please contact our support team via the Peer Service Desk.