Is Autopsy 4.19.3 using Apache Log4j vulnerable to CVE-2021-44832

When 4.19.3 deployed in December 2021, it released with an embedded Apache Log4j version of 2.16. Tenable is identifing anything under 2.17.1 is vulnerable to CVE-2021-44832. Has 2.16 been retested for exploits discovered in this CVE? If so, When is the next release of Autopsy going to occur?

NVD - CVE-2021-44832 (](NVD - CVE-2021-44832)

The next release of Autopsy in early October, 2022 will have Log4j version 2.17.1 as part of it.

Thank you very much.

Good Morning,

Are you able to tell me why the next release of Sleuth Kit has been delayed?

I look forward to hearing from you,
David Rider

I was delayed in doing the testing on it. I just finished testing last night so it should be out soon. Here is part of the news.txt that relates to this release.

---------------- VERSION 4.20.0 --------------
Recent Activity Updates:

  • Added Favicons, Profiles and Extensions to Chromium Browsers
  • Added Security Questions/Answers from SAM registry Hive

Datasource Processing

  • Added Jython Support
  • Added example Python plugin

Ingest Module

  • New DataArtifact ingest module for analyzing data artifacts

Linux / Mac Improvements

  • Script to install prerequisites using Homebrew and debian package.
  • Script that allows you to install TSK from source
  • Script that sets JAVA home per install
  • Updating Linux and Mac Installation Documentation

Command Line Interface

  • Simplified command line input parameters
  • Command Line Interface changes - The -listAllIngestProfiles switch was added,
    the initialization code was modified to make the java.exe switch –nogui work
    (splash screen will appear, but framework window will not), and return codes
    will be pushed up so that the return value of java.exe reflects the return
    value of our application.

Bug Fixes:

  • Solr 8.11.2 Upgrade which includes update to Log4j to verison 2.17.1
  • Change Timezone format for Plaso output.
  • Regex fix for Mbox parsing.
  • Portable Case report string index out of range -1 fixed
  • Extracting files, numbering of files and overwriting of files.
  • Image tagging
  • Joda-Time updated from 2.4 to 2.10 - fixes certain timezone errors


  • Update to USB id’s.
  • Update Tesseract to 4.10.
  • Config changes - moves config settings that could/should be moved to a separate
    computer to a common config folder. Those settings can be zipped and taken
    to a different computer and extracted.
  • File filter exclude rules: For interesting files and file filters, you can now
    create rules that will exclude certain files in addition to including them.
  • Adds host to artifact content viewer.
  • When an OS Account is selected the Other Occurences tab will no longer show the
    open case in the case list.
  • The Communication window Message Viewer Threads panel layout was cleaned up so
    that the buttons are visible despite the subject length.
  • Limit ingest inbox messages to first 20 keyword hits
  • GStreamer update to version 1.20.0
  • libheif v1.12.0 replaces ImageMagick
  • Removal of 32bit verison of Autopsy

So here is a question for you. What features or functionality would you like to see added to Autopsy in the future?