Fortify tool reporting CVE-2021-44228 despite using log4j 2.17.1+ version

Asked May 04 '22 at 07:40

Active May 04 '22 at 07:40

Viewed 448 times

We ran Fortify tool on our code base which is currently using log4j 2.17.1+ version. However, the fortify tool complains that:

The program runs a JNDI lookup with an untrusted address that might enable an attacker to run arbitrary Java code remotely.

I googled a lot and everywhere it says that log4j 2.17.0 onwards, this issue has been addressed. Can anyone please suggest ?

asked May 04 '22 at 07:40

Sammidbest

it is most likely a false positive. but to be sure, you should check on your `log4j` configuration whether you have [jndi enabled](https://logging.apache.org/log4j/log4j-2.3/manual/lookups.html#JndiLookup) somewhere to be sure. – Bagus Tesa May 16 '22 at 07:34

0 Answers0