Is there any WHD vulnerability with the widely applied log4j issue? I presume from the absence of messaging that all is well, but would prefer confirmation.
I've seen evidence of the affected jar files on a deployment of 12.7.2
See this post for our analysis across all products - https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228
Hi,
I looked through this advisory, and there is no mention of non-orion products.
In looking through the install directory, I do see (as axemanit mentioned) hundreds of references to log4j (but not log4j2).
Is WHD using 1.x, and that is what is making it not subject to this issue?
We received this from SolarWinds in response to our support ticket: "Older versions of Web Help Desk prior to version 12.7.3 use an older version of log4j that is not listed as vulnerable to exploit. Starting with version 12.7.3, Web Help Desk logging was updated and changed to Logback as an alternative to the log4j java framework for logging. In summary, all versions of the Web Help Desk are not vulnerable to the log4j exploit detailed in CVE-2021-44228."
WHD used 1.2.16 prior to being replaced with Logback in a previously shipped version.
I found the list of what is included in Web Help Desk which includes log4j, in contrast to the reports that Web Help Desk uses logback...
documentation.solarwinds.com/.../helpdeskthirdpartysoftwarelist.htm
