With the discovery of the Log4j Vulnerability, Savance can confirm that EIOBoard/Workplace is not vulnerable to CVE-2021-44228 since our solution does not use Log4j for any of our products. After a thorough audit of our code base and cloud environments, we have found no use of the Apache Log4j library. Therefore, we are confident no EIOBoard products are exposed to the Log4j vulnerability as a result of this recently discovered exploit.
Our Angular libraries import a log4j library derivative called “log4js-node” module. It is not vulnerable to the same log4j vulnerabilities that exploit the underlying Java Runtime Environment (gmillerd, 2021).
Furthermore, we evaluated our inventoried assets with two vulnerability scripts to reveal any systems running JNDI features–referencing the “JndiLookup.class,” or the log4j-core file hash. None of our inventoried assets referenced the log4j library.
More info on the Apache Log4j exploit can be found here
CISA. (2021, December 23). Mitigating Log4Shell and Other Log4j-Related Vulnerabilities. CISA. https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
gmillerd. (2022, December 21). Is log4js-node affected by the log4s vulnerability? · Issue #1105 · log4js-node/log4js-node. GitHub. https://github.com/log4js-node/log4js-node/issues/1105