Hi Ricky, CipherMail Gateway and Webmail Messenger are *not* vulnerable to CVE-2021-44228 because an older version of log4j (1.2) is used which does not contain the (vulnerable) lookup functionality.
When we became aware, a few hours after the details were posted, that log4j was exploitable, we analyzed the exploit and concluded that CipherMail was not vulnerable. CipherMail uses version 1.2.15 of the log4j library. This version is still widely deployed. It is true that version 1.x of log4j is no longer supported, however we always analyze any impact of a published exploit to see whether a CipherMail product is impacted or not. We are not aware of any vulnerabilities in the default configuration of 1.x as used by CipherMail. We will further analyze whether we upgrade to a newer version of log4j or use a different logging library instead. Kind regards, Martijn Brinkers On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote: > Apache log4j has a critical zero day vulnerability (CVSS score of > 10), CVE-2021-44228. > > https://logging.apache.org/log4j/2.x/security.html > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ > > The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon > a cursory check, Ciphermail appears to use log4j 1.2.15, which while > end of life and potentially vulnerable to other threats, shouldn't be > vulnerable to this specific flaw. As a result, the mitigating > controls may not be applicable or necessary. > > Thoughts, or discussion? -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF Messenger and Webmail Messenger
