ThreadFix Log4j Vulnerability Response
Coalfire continues to research the Log4j CVE logged on December 10 (CVE-2021-44228). Our investigations still show that ThreadFix is not susceptible to log4shell or the subsequent exploit CVE-2021-45046.
However, given that we have already moved away from Log4j to an alternate logging framework for ThreadFix 3.1, we have decided to take extra precautions and replace Log4j for our clients still using ThreadFix 2.8, even though it does not include the impacted class. Our tentative plan is to have hotfix
January 10th, 2022 Update
ThreadFix version 2.8.5.1 contains updates addressing the log4j vulnerability. Please note the download file and release notes below:
containing that change available in January.Once you’ve imported your most recent scans, ThreadFix can help identify Log4j in your environment.
...