ThreadFix Log4j Vulnerability Response
Coalfire continues to research the Log4j CVE logged on December 10 (CVE-2021-44228). Our investigations still show that ThreadFix is not susceptible to log4shell or the subsequent exploit CVE-2021-45046.
However, given that we have already moved away from Log4j to an alternate logging framework for ThreadFix 3.1, we have decided to take extra precautions and replace Log4j for our clients still using ThreadFix 2.8, even though it does not include the impacted class. Our tentative plan is to have hotfix 2.8.5.1 containing that change available by the end of the yearin January.
Once you’ve imported your most recent scans, ThreadFix can help identify Log4j in your environment.
...