In December 2021, the following vulnerabilities in the Apache Log4j 2.x Java logging library were disclosed:

• CVE-2021-44228: Apache Log4j 2.x JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints with potential for code execution.

• CVE-2021-45046: Apache Log4j 2.x Thread Context Message Pattern and Context Lookup Pattern is vulnerable to potential information leak and code execution.

• CVE-2021-45105: Apache Log4j 2.x is vulnerable to uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.

• CVE-2021-44832: Apache Log4j 2.x is vulnerable to code execution when configured to use JDBCAppender or the attacker has write access to the Log4j configuration.

A description of these vulnerabilities can be found on the Apache Log4j 2.x Security Vulnerabilities page.

Additionally, in December 2021 and January 2022, the following vulnerabilities in the Apache Log4j 1.x Java logging library were disclosed:

• CVE-2021-4104: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSAppender or the attacker has write access to the Log4j configuration with potential for remote code execution.

• CVE-2022-23302: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSSink to perform JNDI requests or when the attacker has write access to the Log4j configuration with potential for remote code execution.

• CVE-2022-23305: Apache Log4j 1.x when configured to use JDBCAppender is vulnerable to malicious crafted SQL strings allowing unintended SQL queries to be executed.

• CVE-2022-23307: Apache Log4j 1.x is vulnerable to deserialization of the contents of certain log entries when the chainsaw component is run with potential for code execution.

A description of these vulnerabilities can be found on the Apache Log4j 1.2 Security Vulnerabilities page. Based on the available information, these vulnerabilities in Log4j 1.x may only be exploited if the vulnerable component is configured for use, and/or the attacker has sufficient privileges to start the service or change the configuration on the host. These vulnerabilities require a more complex attack vector, resulting in lower severity of these vulnerabilities relative to the log4j 2.x JNDI exposure.

Mitel is investigating its products to determine which products may be affected by these vulnerabilities. Mitel will update this advisory as the details become available.

This is an ongoing investigation, as such be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

Vulnerable Products

The following products have been determined to be affected by one or more of these vulnerabilities. This section will be updated as Mitel’s investigation continues.

Product Assessments

The following table provides the status of Mitel products which may be affected by the vulnerabilities listed in the Summary section above.

Mitel is investigating these products to determine if they are affected by log4j 1.x vulnerabilities. The products listed here with status investigating have been confirmed NOT to be affected by the listed log4j 2.x vulnerabilities.

This section will be updated as Mitel’s investigation continues.