JNBridge and the Log4j Vulnerability CVE-2021-44228
Recently, professional security researchers reported a vulnerability in the Java package log4j. The vulnerability affects Log4j versions from 2.0 to 2.14.1. See the following reference for details: CVE-2021-44228
The JNBridge JMS Adapter for Biztalk
The BizTalk Adapter does not use Apache’s Log4J implementation in any way and does not ship with the JAR file. In other words, the proxy assembly, jnbproxies.dll, does not contain any proxies for the org.apache.log4j.* namespace.
However, it is possible that the Java-side JMS stack comprised of the Vendor’s JMS implementation does require Log4J (that stack is pointed to by the Classpath property in the BTS transport handler configuration).
For example, if we look at ActiveMQ, version 5.13.3, the client side stack is contained in the JAR file, activemq-all-5.13.3.jar. We can see that org.apache.log4j.* is present in that JAR file. Looking in the META_INF directory, we can see that the Log4J implementation used by AMQ is version 1.2.17 and is not subject to the vulnerability.
Look at the JMS vendor’s client stack on the machines where the adapter is installed. If the client stack contains the log4j implementation in a standalone JAR file, e.g. log4j-#.#.#.jar, it may be possible to replace it with the JAR file containing the version without the vulnerability (the log4j API has not changed in years). If the log4j implementation is bundled inside another JAR file, like ActiveMQ, and is subject to the vulnerability, contact the JMS vendor and find a client stack with the proper version inside.
JNBridgePro is not affected by the log4j vulnerability CVE-2021-44228
Two of the JNBridgePro demos use the log4j package but the JAR files are not included in the demo. The user is responsible for downloading the package. Use either a 1.x version of log4j or log4j version 2.15.0 to avoid the vulnerability.
For more information, contact support@jnbridge.com.