Version 1.x can be configured to use JMSAppender. This is not configured by CipherMail. Using a JMSAppender is a very specialized config option which is not widely used and certainly not by default.
But even *if* you configure a JMSAppender, it can only be misused *if* an attacker can also change the log4j config file. If an attacker is able to change a config file on your file system, it means the attacker already used a different method to get in. An external user is not able to change a local config file. The problem with the JMSAppender in verson 1.x cannot be compared to to CVE-2021-44228. See some details from the original author or log4j 1.X: http://slf4j.org/log4shell.html Unless you allow an external user to change your local config files, using log4j 1.x is safe. CipherMail gateway is safe because an external user cannot change the local config file. You should of course check other software, like for example Tomcat, to investigate whether it does not use a vulnerable log4j jar. PS. Since log4j 1.x is old, we are working on upgrading to the latest version 2. Not because 1.x is not safe but because version 1 is EOL. Kind regards, Martijn On Tue, 2021-12-14 at 11:52 +0000, Stefan Michael Guenther wrote: > Hello Martijn, > > I found the following posting, that version 1.x may be affected,too, > but in a different way (only LDAP based?): > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301 > > Since the Pro version supports LDAP certificat lookups, could this be > a problem? > > Best wishes, > > Stefan > > -----Ursprüngliche Nachricht----- > > Von: Martijn Brinkers via Users <[email protected]> > > Gesendet: Montag 13. Dezember 2021 8:34 > > An: [email protected] > > CC: [email protected]; Martijn Brinkers <[email protected] > > > > > Betreff: [CipherMail User] Re: Apache log4j vulnerability, CVE- > > 2021-44228 > > > > Hi Ricky, > > > > CipherMail Gateway and Webmail Messenger are *not* vulnerable to > > CVE-2021-44228 because an older version of log4j (1.2) is used > > which > > does not contain the (vulnerable) lookup functionality. > > > > When we became aware, a few hours after the details were posted, > > that > > log4j was exploitable, we analyzed the exploit and concluded that > > CipherMail was not vulnerable. > > > > CipherMail uses version 1.2.15 of the log4j library. This version > > is > > still widely deployed. It is true that version 1.x of log4j is no > > longer supported, however we always analyze any impact of a > > published > > exploit to see whether a CipherMail product is impacted or not. We > > are > > not aware of any vulnerabilities in the default configuration of > > 1.x as > > used by CipherMail. > > > > We will further analyze whether we upgrade to a newer version of > > log4j > > or use a different logging library instead. > > > > Kind regards, > > > > Martijn Brinkers > > > > > > On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote: > > > Apache log4j has a critical zero day vulnerability (CVSS score of > > > 10), CVE-2021-44228. > > > > > > https://logging.apache.org/log4j/2.x/security.html > > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > > https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ > > > > > > The vulnerability appears to impact log4j 2.x thru 2.15.0- > > > rc1. Upon > > > a cursory check, Ciphermail appears to use log4j 1.2.15, which > > > while > > > end of life and potentially vulnerable to other threats, > > > shouldn't be > > > vulnerable to this specific flaw. As a result, the mitigating > > > controls may not be applicable or necessary. > > > > > > Thoughts, or discussion? > > -- > > CipherMail email encryption > > Email encryption with support for S/MIME, > > OpenPGP, PDF Messenger and Webmail Messenger > > > > -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF Messenger and Webmail Messenger
