This article addresses the recent Log4j RCE.
Refer to the following links for more information:
Log4j and SFTP Gateway
SFTP Gateway v2 and v3 use
logback for logging purposes, rather than
That being said, the following jar exists on SFTP Gateway:
BOOT-INF/lib/log4j-api-2.12.1.jar # on SFTP Gateway v2 BOOT-INF/lib/log4j-api-2.14.1.jar # on SFTP Gateway v3 BOOT-INF/lib/log4j-api-2.17.1.jar # on SFTP Gateway v3.2.1
At first glance, it may appear that the version of
log4j falls within the vulnerable version range:
2.0 <= Apache log4j <= 2.14.1
However, we are only using the
log4j-api and NOT the core
According to this article: https://logging.apache.org/log4j/2.x/security.html
The versions affected are the
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
SFTP Gateway does not include
log4j-core, because it does not use
SFTP Gateway uses
logback for logging purposes.
We use a library called
slf4j to translate
log4j API calls to
So, only the
log4j-api jar is included in SFTP Gateway.
Log4j yum package
On SFTP Gateway version 3.2.1, we use Ubuntu 20.04. And the
log4j apt package is not installed.
[root@ip-172-31-4-141 sftpgw]# apt list installed log4j Listing... Done