Update on 16 February 2022
The Log4j 1.2.17 library is replaced with the latest 2.17.1 library in the latest release of the software (9.6.17). Customers concerned about the vulnerabilities of Log4j 1.2.17 can now upgrade their environment to the latest version. Only a full upgrade is available, patches cannot be provided. We are still unaware of any Log4j vulnerability for version 1.2.17 which would affect the previous installations.
Am I affected
The Verint security team is actively investigating the impact of the Apache Log4j2 Vulnerability CVE-2021-44228 across all Verint products and cloud services. The team has determined that the current version of Verint Financial Compliance (Verba) as provided to our customers is not vulnerable to the Apache Log4j2 Vulnerability CVE-2021-44228 based on identified indicators of compromise by industry experts. As more information is released, we continue to review our offerings and follow manufacturer recommended remediations for all systems and services.
The Verint Financial Compliance (Verba) product does not use Log4j 2.x, it uses an earlier version of the library (1.2.17).
Summary & Impact
Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1For more information, see https://logging.apache.org/log4j/2.x/security.html
Note on Log4j CVE-2019-17571 vulnerability affecting 1.2.x
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This vulnerability does not affect the system, because the system does not allow using remote logging via the network at all.