Feedback
Did this article resolve your question/issue?

   

Article

Is MOVEit vulnerable to CVE-2021-44228 (Log4j)?

« Go Back

Information

 
TitleIs MOVEit vulnerable to CVE-2021-44228 (Log4j)?
URL NameIs-MOVEit-vulnerable-to-CVE-2021-44228-Log4j
Article Number000206960
Information

On December 9, 2021 Progress Software was made aware of a critical vulnerability in a common Java logging library called Log4j.  Links to additional resources describing the vulnerability and its origin are included at the end of this post. 
 

Although some MOVEit products are Java based, none of the currently supported MOVEit versions are affected.  Please check the MOVEit Product Support Lifecycle page and ensure you are on a supported version of MOVEit.  
 

If you are scanning MOVEit installations for log4j you may find the following log4j files:

  • log4j-1.2.17 
    Log4j version 1.2.17 was not affected by the vulnerability, but was shipped with some supported versions of MOVEit 

  • log4j-api, log4j-to-slf4 or log4j-jul 

    Only the log4j-core module was affected by the vulnerability.  MOVEit products do not use log4j-core and it is not installed with MOVEit dependencies 

 

MOVEit Cloud is not directly vulnerable to the log4j vulnerability.  All 3rd party tools have been reviewed and mitigations or updates have been applied where specified by vendors. 

Log4J Addendum articles: 
https://community.progress.com/s/article/Is-MOVEit-Vulnerable-to-CVE-2021-45046-Log4j
https://community.progress.com/s/article/Is-MOVEit-Vulnerable-to-CVE-2019-17571-and-CVE-2021-4104-Log4j

Additional Information
EnvironmentMOVEit
Last Modified Date1/4/2022 4:27 PM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.