Solutions

Is log4j 1.2.17 in PVCS Version Manager affected by CVE-2021-4104?



ID:    S143616
Published:    01 February 2022
Updated:    17 February 2022

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

PVCS Version Manager VM 8.6.x and older contain log4j 1.2.17, which can be affected by CVE-2021-4104 under certain circumstances. Is PVCS VM vulnerable?

 

Resolution

PVCS Version Manager is not affected by the vulnerability in log4j 1.2.17. Exploiting this issue requires a configuration using a JMSAppender, which is not how PVCS VM is configured.
 
No mitigation steps are required, providing no one manually changed the log4j configuration to add a JMSAppender. (Exceedingly unlikely, as it serves no purpose in PVCS VM.)
 
In the next release (PVCS Version Manager 8.7), log4j 1.2.17 will be updated or replaced to remove any ability to manually deploy a vulnerable configuration.


 


Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs