Java Zero Day Question

I received a question from our IT department about a severe vulnerability in the Log4J utility and they are asking what our risks are.

https://insidexpress.com/technology/zeroday-exploit-for-critical-log4j-bug-poses-a-grave-threat-to-the-internet/

Can you provide some insight for my to relay to them?

Thank you.

1 Like

I think we’re crafting some kind of official statement, but there’s nothing to worry about.

Ignition doesn’t use log4j as its logging backend. Both 7.9 and 8.x versions use a different backend called logback instead. Even old unsupported versions of Ignition that did use log4j used version 1.x, which isn’t affected.

For anyone interested this is the CVE: CVE - CVE-2021-44228

8 Likes

Thank you Kevin, this is good news!

Hello all,
We have also received that notice from the IT department.
Is version 7.9.10 (b2018112821). affected?

No.

Kevin literally said this

1 Like

Thanks

Since this is one of the top hits on Google, I thought I'd share our official response.

The most relevant paragraph:

Inductive Automation has conducted a full audit of Ignition’s direct and transitive dependencies to confirm that log4j is not used or included in any supported or unsupported release of Ignition, and as such it is not vulnerable to the RCE outlined in CVE-2021-44228. This includes LTS versions 7.9 and 8.1, as well as all past and non-LTS versions. While Ignition versions 7.8 and prior did use log4j for its logging backend, the version used (1.2.x) is not affected.