BSI: Critical vulnerability in log4j disclosed (CVE-2021-44228)

The security flaw in Java Logging log4j is currently making headlines and causing uncertainty. Log4j is a popular logging library for Java applications. Its function is the high-performance aggregation of an application’s logging data.

After initial reports on this security flaw were published, Mediaform commissioned an evaluation of the possible threat to its productive software solutions (PraxiKett Designer, fontio and the QM suite). Based on present knowledge, Mediaform’s products do not use any versions affected by the security flaw (which is contained only in Log4J Version 2.0 beta9 to Version 2.14.1). Moreover, the solutions developed by Mediaform do not use the vulnerable “log4j core” package.

log4j Version 1.xx contains an opportunity to insert extraneous code into the system. The preconditions necessary for this are: 1. Use of a “JMSAppender” that loads external data from a configured URL via JNDI. 2. A configuration that was introduced/manipulated. Mediaform does not use a “JMSAppender” in either the QM suite or in PraxiKett Designer, so consequently no external data can be inserted via JNDI.

Our applications developed in C#, e.g. ScanTools, OrderManagament, Document Generator, ArchiMedis and LabelProfi, are also unaffected by the security flaw in Java Logging log4j.

You can obtain more information from BSI at https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html