MicroEJ and CVE-2021-44228 (Log4Shell)

Hello,

On December 10, 2021, an RCE (remote code execution) exploit was exposed on several versions of the Apache Log4j 2 library. This vulnerability is identified as CVE-2021-44228. Affected code exists in log4j versions 2.0 to 2.14.1. MicroEJ R&D and IT teams proceeded with verification of all MicroEJ assets and can confirm that MICROEJ products are not affected by this vulnerability.

More details about our analysis:

a) MICROEJ VEE does not implement remote class loading via JNDI objects. Consequently, applications running on MICROEJ VEE are not affected by this vulnerability.

b) MICROEJ SDK, MICROEJ Studio, and MICROEJ License server use Log4j 1.2, not Log4j 2.x. Log4j 1.2 contains a known vulnerability of a lesser degree (CVE-2019-17571) that depends on the usage of the class SocketServer, which is not used.

c) MICROEJ Architecture tools and MICROEJ Forge do not use Log4j. Tools include for instance the SOAR, the linker, the test suite engine, the font generator, the image generator, virtual devices, mocks.

d) MICROEJ Central Repository and Developer Repository do not use Log4j.

Therefore, no action is required by our valued Customers regarding this issue when using MICROEJ products.

The MicroEJ Team.