CVE-2021-44228 :

Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and
other JNDI related endpoints.

Severity:
Critical (A vulnerability rated with a Critical impact is one which could
potentially be exploited by a remote attacker to get Log4j to execute arbitrary
code (either as the user the server is running as, or root). These are the sorts of
vulnerabilities that could be exploited automatically by worms.)

Versions Affected:
all log4j-core versions >=2.0-beta9 and <=2.14.1

Description:
Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI related
endpoints. An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup substitution
is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Mitigation :

1. In releases >=2.10, this behavior can be mitigated by setting either the system property
log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

2. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message
converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to
remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.

3. Since issue is fixed in release 2.15.0, upgrading to Log4j 2.15.0

 Remediation in Deployment System Checkout
Application Old/Current PROD Required?
Identified  Version P1 P2 MN P1 P2 MN Actual / Expected
Closure Date Remarks
POGH 2.6 Yes
Completed Completed Completed Completed Completed Completed  12/12
ISSO 2.6 Yes “Contact us” page is not working post
Completed Completed Completed Completed Completed Completed  12/12 upgrade.
Commissions 2.12.1 Yes
Completed Completed Completed Completed Completed Completed  12/12
ER Portal 2.11 Yes
Completed Completed Completed Completed Completed Completed  12/13
GULGVUL 2.12.1 Yes
Completed Completed Completed Completed Completed Completed 12/13  
12/13 No Jenkins Pipeline, manual deployment done
Profile Service 2.12.1 Yes
Completed Completed Completed NA NA NA
12/18?? It is being used by ISSO internal
TPASelfService 2.7 In Progress
           
12/18 It is an internal application, SOE 1 team will
ECOMM-Util 2.11.2 Pending release this
           
It is getting addressed as part of SOE 2
In Progress 12/18 release.
MyBenefits 1.2.14            
In Progress 12/15
GI OSGLI 1.2.17            
Webenroll 1.2.14 Pending             12/18 SOE 1 team will release this

Pending 12/18??
GI Billing 1.2.17            
Pending 12/18 SOE 3 team will release this
WDMS 1.2.16            
Pending 12/18 SOE 3 team will release this
WLMS 1.2.17            
Pending 12/18 AMS T3 will release this
Medu 1.2.14            
Pending 12/18 SOE 3 team will release this
GI ET Online 1.2.14            
ECOMM It is an initial repository but not being used by
Microservices 2.7.0 Not Required any service