Cerberus is not and cannot be affected by the log4j 0-day vulnerability described by CVE-2021-44228. Cerberus FTP Server does not use the vulnerable Java log4j library, but a similar C++ rewrite called Log4cxx. The Log4cxx library is patterned after log4j, but the two libraries are fundamentally different and do not share any code.
The CVE-2021-44228 vulnerability in log4j has to do with with the Java Naming and Directory Interface (JNDI) performing an LDAP lookup for log strings and then executing the code returned from that lookup. Cerberus does not, and cannot, do that using Log4cxx. That capability and the associated vulnerability are specific to the Java log4j library.
The Cerberus team has analyzed the Log4cxx library to ensure that the JNDI capability required to execute this vulnerability is not present.
Update: No versions of Cerberus FTP Server use log4j and none are susceptible to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, CVE-2022-23302, CVE-2022-23305, or CVE-2022-23307 vulnerabilities.
Please sign in to leave a comment.