- Currently the latest JS1 and JS7 JobScheduler components use log4j 2.17.0.
- A vulnerability affects log4j2 version 2.17.0:
- CVE-2021-44832, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
- Severity Level: LOW
- There is no exploit with current JS1 and JS7 JobScheduler components.
- JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-44832. However, this might not apply in case that users modified the JobScheduler's log4j configuration files to use JDBC data sources.
- Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
- The nature of this vulnerability requires to have administrative access to JobScheduler's log4j configuration files.
- Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.1 that fixes the issues.