Welcome back! Ask questions, get answers, and join our large community of tax professionals.
Showing results for 
Search instead for 
Did you mean: 

Log4j code vulnerability in tax planning program

Level 3

In scanning my network with https://github.com/Qualys/log4jscanwin I found that all versions of the Lacerte tax planning (not the main program but the planning) software include Log4.jar software.  The newest tax planning software program has version 1.2.17 

VU#930724 - Apache Log4j allows insecure JNDI lookups (cert.org)

What is Lacerte's plans to first notify us that we do have this on our networks and then to update the supported software to remove the vulnerable code from this software?

3 Comments 3
Level 3

I did a scan of the local C drives and log4.jar (vulnerable) is also in the local folders on the local machines of the main tax software program.

Level 3

"Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. "


Log4j 2.x is not in desktop Lacerte. It's Logj 1.x

CVE - CVE-2021-4104 (mitre.org)

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Level 3

Same, and I can get no action from Intuit.

0 Cheers