Apache log4j has a critical zero day vulnerability (CVSS score of 10), CVE-2021-44228.
https://logging.apache.org/log4j/2.x/security.html https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon a cursory check, Ciphermail appears to use log4j 1.2.15, which while end of life and potentially vulnerable to other threats, shouldn't be vulnerable to this specific flaw. As a result, the mitigating controls may not be applicable or necessary. Thoughts, or discussion?
