Welcome back! Ask questions, get answers, and join our large community of tax professionals.
  • Products
  • Workflow Tools
  • Learn & Support
  • Sign In
  • Products
  • Workflow Tools
  • Contact Us
  • Sign In
  • Learn & Support
    • cancel
    Turn on suggestions
    Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
    Showing results for 
    Search instead for 
    Did you mean: 

    Log4j code vulnerability in tax planning program

    SusanBradley
    Level 3
    ‎12-20-2021 11:15 PM

    In scanning my network with https://github.com/Qualys/log4jscanwin I found that all versions of the Lacerte tax planning (not the main program but the planning) software include Log4.jar software.  The newest tax planning software program has version 1.2.17 

    VU#930724 - Apache Log4j allows insecure JNDI lookups (cert.org)

    What is Lacerte's plans to first notify us that we do have this on our networks and then to update the supported software to remove the vulnerable code from this software?

    Reply
    3 Comments 3
    SusanBradley
    Level 3
    ‎12-20-2021 11:42 PM

    I did a scan of the local C drives and log4.jar (vulnerable) is also in the local folders on the local machines of the main tax software program.

    Reply
    SusanBradley
    Level 3
    ‎12-21-2021 12:46 AM

    "Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. "

     

    Log4j 2.x is not in desktop Lacerte. It's Logj 1.x

    CVE - CVE-2021-4104 (mitre.org)

    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

    Reply
    BrentB9193
    Level 3
    ‎01-03-2022 02:36 PM

    Same, and I can get no action from Intuit.

    0 Cheers
    Reply


    Intuit Lacerte Tax
    Intuit ProConnect Tax
    Intuit ProSeries Tax
    Additional Accounting Solutions
    Tax Pro Center
    Tax Practice Resources
    Call sales: 844-877-9422
    Sitemap

    ©1997-2024 Intuit, Inc. All rights reserved.

    Intuit, QuickBooks, QB, TurboTax, and Mint are registered trademarks of Intuit, Inc. Terms and conditions, features, support, pricing and service options subject to change without notice.

    By accessing and using this page you agree to the Terms and Conditions.

    About Cookies | Manage Cookies
    Legal Privacy Security