While eFORMz uses utilities from Apache Foundation, eFORMz does not deliver the components used in this exploit.
To satisfy the call requirements for logging we ship slf4j (Simple Logging Façade for Java) and that points to no-op (slf4j-nop) rather than log4j.
The shipped version of slf4j should be 1.7.25 (https://www.cvedetails.com/version/267529/Slf4j-Slf4j-1.7.25.html)
- To ensure our product is safe on your system, please verify that none of the offending files “
log4j-core-*.jar” have been installed.
- The CVE noted option of disabling msg lookups will not adversely affect eFORMz. Add
-Dlog4j2.formatMsgNoLookups=trueto the startup. Call for assistance. This should not have any affect on eFORMz as there is no current use for logging through this facility.
- If you do not use the web services built into eFORMz, ensure they are disabled.
- If you do use the web services, ensure your firewall rules are valid and that the authentication used is appropriate.