IET Community
Apache log4j Remote Code Execution Zero Day - Active Exploit - Printable Version

+- IET Community (https://www.iet.uk/community)
+-- Forum: News and Views from IET (https://www.iet.uk/community/forumdisplay.php?fid=11)
+--- Forum: IET News and Announcements (https://www.iet.uk/community/forumdisplay.php?fid=12)
+--- Thread: Apache log4j Remote Code Execution Zero Day - Active Exploit (/showthread.php?tid=124)



Apache log4j Remote Code Execution Zero Day - Active Exploit - Darius Panahy - 2021-12-14

A remote-code execution vulnerability has been found in the Apache log4j logging library. 

This library is widely used in java applications and is used within the Rapide runtime. 

Rapide has been updated to include the latest 2.15.0 version of log4j and this is included in the following updated releases of the software which are now available to download:

  • Rapide 3.0.2
  • GuardIEn web client 8.8.0 (updated to show 8.8.0a in the home page)
  • GuardIEn web client 8.7.5 (updated to show 8.7.5 in the home page)

Other platforms for example Windows clients or server software are not affected.

if you are using an earlier release of Rapide or the GuardIEn web client then it is highly recommended that you upgrade.


RE: Apache log4j Remote Code Execution Zero Day - Active Exploit - Darius Panahy - 2021-12-17

Further to the above posting, Rapide versions 2.0.2 and 3.0.3 are now available which update the log4j version to 2.16.0.

The GuardIEn web clients for 8.7.5 and 8.8.0 have also been updated to use log4j 2.16.0


RE: Apache log4j Remote Code Execution Zero Day - Active Exploit - Darius Panahy - 2021-12-20

Another version of the Apache log4j library has been released - version 2.17.0.

The following products have been updated to include 2.17.0:

  • Rapide 2.0.3
  • Rapide 3.0.4
  • GuardIEn Web Client 8.7.5
  • GuardIEn Web Client 8.8.0
  • Studio Developer 8.7.5.0001
  • Studio Developer 8.8.0.0001



RE: Apache log4j Remote Code Execution Zero Day - Active Exploit - Darius Panahy - 2021-12-20

We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.


RE: Apache log4j Remote Code Execution Zero Day - Active Exploit - m.b - 2021-12-24

(2021-12-20, 06:28 PM)Darius Panahy Wrote: We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.
Do I understand correctly that it is safe to remove file log4j-1.2.15.jar from C:\Program Files\IET\Client880\Studio\rapide\uk.co.iet.rapide.win32_3.0.0_lib after installing the DevOps Suite? We do not have a license for Rapide, so it's never used.


RE: Apache log4j Remote Code Execution Zero Day - Active Exploit - Darius Panahy - 2021-12-24

(2021-12-24, 09:02 AM)m.b Wrote:
(2021-12-20, 06:28 PM)Darius Panahy Wrote: We have analysed the Rapide runtime and the usage of log4j by third party utilities and have concluded that log4j is not required by Rapide. Therefore, to remove the need for further updates in the event that additional vulnerabilities are encountered and fixed in log4j, we have removed it from Rapide in version 3.0.5. This means that the following releases no longer use log4j:

  • Rapide 3.0.5
  • GuardIEn Web Client (8.7.5 and 8.8.0)
  • Studio Developer (8.7.5.0001 and 8.8.0.0001)


Rapide 2.0 still contains (but does not use) log4j and is patched to version 2.17.0.
Do I understand correctly that it is safe to remove file log4j-1.2.15.jar from C:\Program Files\IET\Client880\Studio\rapide\uk.co.iet.rapide.win32_3.0.0_lib after installing the DevOps Suite? We do not have a license for Rapide, so it's never used.
Yes, it can be removed.