Why did we take our current approach to the December 2025 Apache Log4J vulnerability?
CVE-2025-68161 details a vulnerability within Apache Log4J2, a popular logging library. The vulnerability is, per the NVD, is as follows:
“The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
- The attacker is able to intercept or redirect network traffic between the client and the log receiver.
- The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates”.
Based on initial triaging of the vulnerability, RadiantOne IDDM is not impacted by this vulnerability, as we do not utilize socket appenders. The only way this would impact a customer is if they had written a custom appender for RadiantOne, which is not supported.
Radiant Logic will be releasing an update, 7.4.22, that addresses vulnerability. It is recommended that all organizations below 7.4.22 upgrade accordingly.
Is there additional context around this exploit?
There are currently no known proof of concepts or in-the-wild exploits that have been found for this CVE, and there are no good articles on how these exploits could be used in the wild that were found as of 3/10/2026.
Is Radiant Logic IDA Impacted by This?
While initial triage indicates Radiant Logic is not directly impacted, an update to IDA will be released fixing this vulnerability. The release details are still being worked out.
Is Radiant Logic’s SaaS offerings impacted by this vulnerability?
While initial triage indicates Radiant Logic is not directly impacted, an update to the SaaS offering for IDDM will be released. This release is targeted for the end of April, 2026.
Is Radiant Logic IDDM 8.X.X impacted by this vulnerability?
While initial triage indicates Radiant Logic is not directly impacted, an update to 8.4.0 for IDDM will be released. This release is targeted for the end of April, 2026.
Is Radiant Logic IDO impacted by this vulnerability?
While initial triage indicates Radiant Logic is not directly impacted, an update to 8.X.X for IDDM will be released. The release details are still being worked out.
Is CFS Impacted by This?
No, CFS is a .NET product that does not use any Java libraries.
What about IDDM 7.2, or IDDM 7.3?
JMSHA is limited to 7.2 and is not currently being updated. Versions 7.2 and 7.3 are no longer supported for bug or security fixes. That said, socket appenders are not used by either version.
Comments
Please sign in to leave a comment.