On Tue, 2021-12-14 at 13:11 +0100, Martijn Brinkers via Users wrote: > Version 1.x can be configured to use JMSAppender. This is not > configured by CipherMail. Using a JMSAppender is a very specialized > config option which is not widely used and certainly not by > default. > > But even *if* you configure a JMSAppender, it can only be misused > *if* an attacker can also change the log4j config file. If an > attacker is able to change a config file on your file system, it > means the attacker already used a different method to get in. An > external user is not able to change a local config file.
The vulnerability regarding Log4j 1.x is now tracked as CVE-2021-4104. As Martijn already said, CipherMail products are not impacted because of the specific configuration used. The blog post on our website has been updated to reflect this: https://www.ciphermail.com/blog/ciphermail-gateway-and-webmail-messenger-are-not-vulnerable-to-cve-2021-44228.html > The problem with the JMSAppender in verson 1.x cannot be compared > to CVE-2021-44228. ...regarding security impact, that is. They are somewhat similar in how a potential attack would be executed (with the JNDI requests and all). > See some details from the original author or log4j 1.X: > http://slf4j.org/log4shell.html To point to the authoritative CVE source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 These entries have all the references to information you never wanted to know about the Log4j vulnerabilities. > Unless you allow an external user to change your local config > files, using log4j 1.x is safe. I'd like to add some nuance to this: we can't say that Log4j 1.x is "safe", but we are certain that Log4j 1.2.15 as used by CipherMail products (which do not allow external users to change the local config files) does not pose a significant risk for our users and customers. > PS. Since log4j 1.x is old, we are working on upgrading to the latest > version 2. Not because 1.x is not safe but because version 1 is EOL. Updated packages can be expected soon. See also the aforementioned blog post. To reiterate: certain Log4j versions are vulnerable, but not all versions and vulnerabilities are created equally. The version used by CipherMail is, in its specific configuration, not vulnerable. Kind regards, Imre Jonk CipherMail B.V.
signature.asc
Description: This is a digitally signed message part
