Does the Duo Gateway on Linux have any vulnerabilities related to log4j?
Hi @mike.s, thanks for sharing your question here. The TL;DR version of the answer to your question is no. The longer version can be read below:
Duo has completed an initial review of all relevant product components or services and has not identified any that were vulnerable to possible attack as a result of the Log4j (CVE-2021-44228) vulnerability. We are continuing to audit our systems as a precautionary measure. Duo customers do not need to take any action at this time.
Where applicable, we have patched product components or services that used an affected version of Log4j. However, none of these systems have any known paths to exploitation. We have chosen to identify as affected but remediated on the Cisco CVE response page out of an abundance of caution as we continue our audit.
We are continuing to monitor the situation and will provide customers with further updates if any action is required.
Excellent news, thank you for replying!