Inphinity Suite Not Affected By Log4Shell Vulnerability
We are aware of the recently disclosed RCE (Remote Code Execution) vulnerability in the Log4j2 library CVE-2021-44228 (also called Log4Shell).
We reviewed our products and libraries used and we determined our products are not affected by this vulnerability, see details below:
Inphinity Forms are not using any version of Log4j library and thus are not affected by CVE-2021-44228.
Inphinity Flow is a front-end extension, does not use Java at all, does not use the Log4j library thus is not affected by Log4Shell.
Inphinity Mole UDC is using Log4j v.1.2.17 that is not affected by CVE-2021-44228. This version does not contain the exploitable JndiLookup class present in versions from 2.0 to 2.14.1. Currently, there is no knowledge of RCE exploits against Log4j v1.2 log message substitution similar to Log4j2.
Another vulnerability (CVE-2019-17571) was found to be present in the library version used, but the affected component (SocketServer class) is not used in the product and the product is not affected by CVE-2019-17571.
Regarding Qlik Sense and related products, you can find information here.
- Inphinity Suite November 2022 - 29. November 2022
- Inphinity Suite August 2022 - 15. September 2022
- Inphinity Suite May 2022 - 31. May 2022