Is Netreo vulnerable to the Log4j remote code execution exploit?

On December 9th, 2021 it was announced that Apache Log4j library version 2.x was vulnerable to remote code execution (RCE) exploit CVE-2021-44228 allowing access to servers using it. Netreo engineering and security teams have confirmed that none of Netreo's products or platforms are vulnerable to this exploit. The OmniCenter series of products do not use Java or Log4j in their technology stack, and so this vulnerability does not apply. The Retrace product does use Java, however it uses an older version of the Log4j library that is not vulnerable to this exploit.

We are continuously monitoring all our environments for any indication of active threats and exploits.

If you have manually configured Log4j to work with Retrace or Prefix, or are using the stackify-log-log4j2 library, please check your individual deployment to make sure you have not installed a vulnerable version of Log4j and ensure you have upgraded to at least version 4.0.3 of the stackify-log-log4j2 library.

If you have any concerns, please feel free to contact Netreo Support.