The Enlighted Manage application uses log4j 1.2, which is not subject to the recently reported vulnerabilities associated with log4j version 2 (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105). Subsequent to the initial log4j version 2 vulnerability reports, CVE-2021-4104 was published describing a similar JNDI exploit on log4j 1.2. However, several additional prerequisites to the log4j 1.2 exploit are not present in the Manage application.
The Manage on-premise appliance does have a log4j version 2 library file on disk. This in an inactive library file associated with past internal software development activities and has not been used by the Manage application deployed to customers. Therefore, the Manage application is not deemed to be at risk of the currently known log4j JNDI exploits.
Manage version 4.3 is currently being prepared for release and already has the inactive log4j version 2 library file removed from the disk. This will help customers who implement log4j vulnerability scans of their IT infrastructure to get a clean scan.
Enlighted plans to proactively upgrade the Manage application from log4j 1.2 to the latest recommended version (2.17.1 as of this writing) within the next release cycle.