Summary

VisiBroker and the Log4J1.x Vulnerabilities

Environment

VisiBroker 8.5
All supported platforms

Question/Problem Description

Prior to service pack 8, VisiBroker 8.5 shipped with Log4J1. This version of Log4J has a number of known vulnerabilities, including:

• CVE-2022-23307
• CVE-2022-23302
• CVE-2022-23305
• CVE-2019-17571

This article describes why VisiBroker is not susceptible to the above vulnerabilities.

Resolution

VisiBroker is not susceptible to the Log4J1 vulnerabilities for the following reasons:

CVE-2022-23307

This relates to the Log4J Chainsaw viewer. As this is not shipped with VisiBroker, VisiBroker is not impacted in any way.

CVE-2022-23302 & CVE-2022-23305

These relate to Log4J appenders not used by VisiBroker by default. By default, VisiBroker uses the Log4J File appender. As such, these vulnerabilities will only be relevant if the customer creates explicit configuration that causes these non-default appenders be used.

CVE-2019-17571

This relates to a SocketServer class, which is again not used by VisiBroker by default.

In short, none of the above vulnerabilities are relevant to VisiBroker out-of-the-box.