English
Skip to content
English - United Kingdom
  • There are no suggestions because the search field is empty.

Is Auditbase affected by the Log4J 2 vulnerability CVE?

+44 (0) 333 444 4212

www.auditdata.com

support@auditdata.com

14 December 2021



    




Auditbase is not affected by the Log4J 2 vulnerability CVE-2021-44228.

 

Auditbase is not affected by the highly publicised Log4J 2 vulnerability CVE-2021-44228 described here https://www.ncsc.gov.uk/news/apache-log4j-vulnerability.  Log4J 2 is an Apache logging service requiring Java.  Auditbase itself does not use Java components.

 

Auditdata distribute Lyniate Rhapsody for HL7 integrations and Crystal Reports XI Developer Edition for Crystal Report editing.  These products contain an older version of Log4j 1.2 which is not subject to the vulnerability.   Log4j 1.2 whilst dated, is a proven and successful design. Core components and features used by Rhapsody and Crystal Reports XI Developer Edition have no high-rated vulnerabilities.

 

There is a related vulnerability in Log4J 1.2 (currently labelled CVE-2021-4104) used in Rhapsody which is present in its JMSAppender. Rhapsody is not impacted by this as the JMSAppender is not used by Rhapsody, nor is it possible for users to enable it as Rhapsody does not include the necessary libraries.  From a security standpoint, there is only one other Critical/High-rated vulnerability against log4J 1.2; this is CVE-2019-17571 affecting the SocketServer class, which Rhapsody does not use and is hence not impacted by.  Crystal Reports XI Developer Edition also does not include JMSAppender or SocketServer components or functionality so is not subject to any known vulnerabilities