Log4j Status

On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions prior to 2.15.0 was disclosed:

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

For a description of this vulnerability, see the Fixed in Log4j 2.15.0 section of the Apache Log4j Security Vulnerabilities page.

There is a new development (not uncommon in these situations). A newly discovered flaw in one of the updated versions of Log4j was discovered (that could cause a denial of service condition for services utilizing the library.

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Fortunately an updated library was already available and we included that in much of our remediation work. Some additional work remains to address this new information. If any additional patches or updates are necessary, we will include that information on our status page.”

Affected Products

In response to the Log4Shell vulnerabilities announced on the Internet (with exploit code), Perforce examined the source code of all of our product lines to ensure that none of our products include the vulnerable Log4j open-source library.

We also have ensured that our infrastructure and back-end environments that support our teams and services have been patched where necessary to address the remote code execution issue introduced by the faulty library.

In a couple cases, a patch/upgrade is necessary to remediate this issue—the version numbers are included below.

Perforce is taking an aggressive approach to identify potentially affected systems and remediate them immediately. At this time, it is not anticipated that our users will experience any downtime as a result of our work.