Summary:

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Description:

This article applies only to Code Aware instances independent of Code Insight. Meaning if you purchased Code Aware or have downloaded the free standalone edition of Code Aware from our website, this article applies.

Standalone Code Aware installation is not impacted by CVE-2021-44228. This uses SLF4J (+logback) for logging.

Note about SLF4J: SLF4J is a wrapper logging framework which can use one of the logging implementations like logback, log4j, java.util.logging etc.

In the Code Aware module, we use SLF4 logging which in turn points to and uses native implementation of logback library.

Log4j 2 jar files are shipped and are present in the standalone Code Aware install location, however the Log4j 2 library is neither:

1. configured to be used with SLF4j
2. nor directly referenced in the code

Hence, despite the presence of Log4j 2 files in the standalone Code Aware application, it can be confirmed that Log4j 2 libraries are not used for logging.

Resolution:

No fix is required.  

Workaround:

As standalone Code Aware application has no dependency on the included Log4j 2 libraries, these can be deleted using the instructions below:

Remediation Steps for Standalone Code Aware

1. Login as the user who has been using standalone Code Aware.
2. Ensure that Code Aware is not running while performing the below steps.
3. Take the back up of “$CodeAware_Install_Location\codeaware.jar" file.
4. Navigate to “$CodeAware_Install_Location\7-zip\win64"
5. Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware.jar" file. This command uses the “7z” tool supplied with application to remove files within the jar file.

7z.exe d “CodeAware_Install_Location\codeaware.jar” log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r