Log4shell/Log4j Zero Day - We Got Your Back!

Darmstadt, December 16, 2021
You are probably already aware of the vulnerability with the Apache Log4J library (CVE-2021-44228) and are already reacting to it. We would like to show you here what this means for our products and customers.

You can find details on the exploit here:

APIIDA API Gateway Manager (AAGM)

We’d like to inform you that the APIIDA API Gateway Manager is not affected.

APIIDA API Gateway Manager does not use Log4J. Instead, we use Monolog as logging library which is not affected by CVE-2021-44228. As of version Autumn 21 no Java-based components are included in the Docker image either. Up to and including the Summer 21 release Broadcom’s Gateway Migration Utility is included in the Docker image. According to Broadcom, the Layer7 components do not use any of the vulnerable versions of Log4J.

Because AAGM is typically implemented together with Layer7 API Management products, we’d also like to refer to Broadcom’s publications.

Layer7 API Gateway

As per its vendor, Broadcom, the product is not affected. Please see this statement for details:
Layer7 API Gateway - Security Advisory - Log4J CVE-2021-44228

Other Layer7 Products and Services

Regarding Layer7 API Gateway, API Developer Portal, OAuth Toolkit, Mobile API Gateway, MAG SDK, Live API Creator and API Performance Management (aka PAPIM) the vendor, Broadcom, published consolidated information, incl. mitigation instructions:

We strongly recommend revisiting this APIIDA bulletin for any updates on the APIIDA API Gateway Manager, and revisiting Broadcom’s Product Information in their Support Portal and/or Broadcom’s Community “Layer7 API Management” for updates on their products. If you have any questions feel free to contact us.