Summary

CVE-2021-44228 and CVE-2021-45046 (Log4Shell or LogJam) are both zero-day vulnerabilities in the widely used Apache Log4j Java-based logging library. Since it is widely used in many popular products, customers have contacted Green Rocket Security asking if the vulnerabilities affect GreenRADIUS. The Log4j logging library is not used in GreenRADIUS and therefore GreenRADIUS is not vulnerable to the Log4j exploits. However, as general info, the Log4j library is widely used in enterprise applications such as applications from companies like Apple, Twitter, Amazon and Tesla.  It is also used In products that include Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, mainly because of its flexibility and rich feature set related to record log information. Attackers use a feature that is aimed for writing error logs to construct special data request packets through these vulnerabilities which ultimately triggers remote code execution.

Conclusion

The Log4j is not used in any version of GreenRADIUS. Consequently GreenRADIUS is not vulnerable to the Log4j issues. However, anyone using the Log4j library in other products should immediately look to update their products as necessary.