Originally posted on December 20, 2021
On December 20, 2021, Code42 released app version 8.8.1 with an updated build, which updates the Log4j library to version 2.16.0. This mitigates CVE-2021-45046.
If you have enabled delayed client updates, we recommend reviewing and adjusting your settings to allow all clients to update immediately. For administrators who did not configure a delay, your devices will upgrade automatically.
We will continue to apply additional patches for Log4j as they are released. Based on NIST guidelines as of December 20, 2021, Log4j 2.17 updates will be made as part of ongoing patch cycles in January 2022. Code42 will adjust planned upgrade cycles should requirements and guidelines change.
Additional context for Code42 approach to updating to Log4j 2.17
Based on extensive testing, we do not believe that Code42 products and services are susceptible to risk presented by CVE-2021-45105 once all currently available patches and mitigations as documented on our Industry Response page have been implemented.
- The vulnerability outlined in 2.16 references an attack with control over Thread Context Map data to cause a denial of service.
- Code42 products and services do not provide a way for an attacker to control Thread Context Map data
- Code42 products and services do not use any non-default logging patterns involving the Thread Context Map, which is required for exploitation
- Code42 has completed Red Team attacks and have engaged with security researchers via our bug bounty program to ensure we are not vulnerable to what is being described within log4j version 2.16
As this is a rapidly evolving situation, we will continue to provide updates describing the steps being taken to mitigate against this threat.
Additional details regarding Code42’s response to Log4j can be found here:
For additional information regarding these releases or Code42’s response to Log4j, please reach out to Code42 customer champions.
Chief Information Security Officer