news

You may have learned in the last couple of days the vulnerability issue of Apache Log4j 2.

This exploit is based on the Log4j variable lookup mechanism in v2.x (related to Log4Shell / CVE-2021-44228). This feature does not exist in Log4j 1.2.x used by icCube.

For info, by default, Log4J 2.x was activating a message lookup (formatMsgNoLookups) that can be exploited when running the java code in certain JRE versions.

icCube is using a former Log4j version (1.2) that does not support the faulty lookup behavior, and therefore icCube is not impacted by this vulnerability.

 

ADDENDUM (Dec 14, 2021): Impact if JMSAppender is being used

Please note that in the specific case of having configured Log4j v1.x to use JMSAppender, then the reported vulnerability issue is in fact a potential threat with “moderate severity”. Read more: CVE-2021-4104.

icCube does not use this Log4j JMSAppender by default (you can check log4.xml file)

We’d like to kindly thank our user who has warned us about this very specific configuration.

By Nathalie Leroy Tapia Heredia

Latest News

06 Feb 2024

New Community License request process

Don't worry, icCube's community use is still unlimited in time. The only new requirement is that you need to request a license file. For that, simply...

09 Jun 2023

icCube Webinar | SUPERCHARGE YOUR B2B SAAS WITH EMBEDDED ANALYTICS

Join us on June 15th 2023 at 11am EST for the exclusive SUPERCHARGE YOUR B2B SAAS WITH EMBEDDED ANALYTICS icCube webinar! Register now (Limited...

19 Apr 2023

v8.4 release - Cluster Config, Improvements & more

icCube v8.4 version just released includes several new enhancements and bug fixes. We invite you to carefully read the release notes and...