No Log4j vulnerabilities found in DATPROF Software
13 December, 2021 | Bert Nienhuis
Due to the recent information about the vulnerability of Apache’s Log4j, our software team has done extensive research.
We are happy to report that none of our software uses this logging system, so our software is not vulnerable to exploitation. The specific Log4j component is not used inside any of our products, including the following:
What is Log4j?
Log4j is a very common Java logging library developed by the Apache Software Foundation. This component allows remote code execution, often from a context that is easily available to an attacker. This makes everyone employing Log4j a potential target for attacks.
The security risk with Log4j, also called CVE-2021-44228 or Log4Shell or LogJam, is being considered one of the most dangerous and most severe risks found in recent years. The vulnerability allows attackers to remotely abuse the rights of web servers, with potentially significant consequential damage. Many large organizations use this component (it affects all versions), making them a potential target.
Information from NCSC (Dutch National Cyber Security Center)
On Github a list is published, containing applications that might be vulnerable due to the vulnerability in Log4j. This list is far from exhaustive and will be supplemented in the coming days with information about applications that are not yet on the list. Cybersecurity company Northwave made a tool available to check if your server is vulnerable. The NCSC refers to the disclaimer in the accompanying text.
We thought it was important to write this update so that DATPROF users could be reassured: DATPROF products do not use the specific log4j component, so there are no vulnerabilities involved. If there is any news, we will keep our customers informed by email. We hope to have informed you sufficiently, but if you have any questions, don’t hesitate to contact us.