On January 18, 2022, Apache disclosed details of three critical vulnerabilities impacting Log4j 1.2.
You want to know if Jive Hosted/On-Premise v220.127.116.11 is affected by these vulnerabilities.
The new vulnerabilities are:
- CVE-2022-23302: a remote authenticated attacker could exploit it to launch a JNDI request that could lead to remote code execution,
- CVE-2022-23305: a remote attacker could exploit it via queries containing specially-crafted SQL attributes in order to access or alter database information,
- CVE-2022-23307: a remote attacker could exploit it via specially crafted requests to execute arbitrary code.
Related JIRA: https://trilogy-eng.atlassian.net/browse/JVHOPST-72401
Jive 9.4 is not affected by the vulnerabilities 23302, 23305, 23307.
However, if you want to upgrade to a version of Jive HOP that is built using Log4j2.17, then v9.9.1 will shortly be available to deploy. Jive 9.9.1 is not yet released (as of 4 April 2022). You can keep an eye out for a release on Worx.