In scanning my network with https://github.com/Qualys/log4jscanwin I found that all versions of the Lacerte tax planning (not the main program but the planning) software include Log4.jar software. The newest tax planning software program has version 1.2.17
VU#930724 - Apache Log4j allows insecure JNDI lookups (cert.org)
What is Lacerte's plans to first notify us that we do have this on our networks and then to update the supported software to remove the vulnerable code from this software?
This discussion has been locked. No new contributions can be made. You may start a new discussion here
I did a scan of the local C drives and log4.jar (vulnerable) is also in the local folders on the local machines of the main tax software program.
"Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. "
Log4j 2.x is not in desktop Lacerte. It's Logj 1.x
CVE - CVE-2021-4104 (mitre.org)
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Same, and I can get no action from Intuit.
You have clicked a link to a site outside of the Intuit Accountants Community. By clicking "Continue", you will leave the community and be taken to that site instead.