Hello Martijn, I found the following posting, that version 1.x may be affected,too, but in a different way (only LDAP based?):
https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301 Since the Pro version supports LDAP certificat lookups, could this be a problem? Best wishes, Stefan -----Ursprüngliche Nachricht----- > Von: Martijn Brinkers via Users <[email protected]> > Gesendet: Montag 13. Dezember 2021 8:34 > An: [email protected] > CC: [email protected]; Martijn Brinkers <[email protected]> > Betreff: [CipherMail User] Re: Apache log4j vulnerability, CVE-2021-44228 > > Hi Ricky, > > CipherMail Gateway and Webmail Messenger are *not* vulnerable to > CVE-2021-44228 because an older version of log4j (1.2) is used which > does not contain the (vulnerable) lookup functionality. > > When we became aware, a few hours after the details were posted, that > log4j was exploitable, we analyzed the exploit and concluded that > CipherMail was not vulnerable. > > CipherMail uses version 1.2.15 of the log4j library. This version is > still widely deployed. It is true that version 1.x of log4j is no > longer supported, however we always analyze any impact of a published > exploit to see whether a CipherMail product is impacted or not. We are > not aware of any vulnerabilities in the default configuration of 1.x as > used by CipherMail. > > We will further analyze whether we upgrade to a newer version of log4j > or use a different logging library instead. > > Kind regards, > > Martijn Brinkers > > > On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote: > > Apache log4j has a critical zero day vulnerability (CVSS score of > > 10), CVE-2021-44228. > > > > https://logging.apache.org/log4j/2.x/security.html > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ > > > > The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon > > a cursory check, Ciphermail appears to use log4j 1.2.15, which while > > end of life and potentially vulnerable to other threats, shouldn't be > > vulnerable to this specific flaw. As a result, the mitigating > > controls may not be applicable or necessary. > > > > Thoughts, or discussion? > -- > CipherMail email encryption > Email encryption with support for S/MIME, > OpenPGP, PDF Messenger and Webmail Messenger > >
