Dear customers and partners,
we would like to inform you that with regard to the critical Log4j vulnerabilities that have become known, there is no risk to the systems we deliver. This is the result of an immediate and intensive review.
What is the current risk situation?
According to the BSI's assessment, the recently discovered critical vulnerability (Log4Shell) in the Java library Log4j leads to an extremely critical threat situation. The BSI has therefore published a cyber security warning of warning level red.
Audit result for vulnerability CVE-2021-44228
Log4j is a logging library that we include in our Java applications. The vulnerability CVE-2021-44228 in Log4j occurs exclusively in versions 2.0 to 2.14.1. However, we currently use versions 1.2.12 to 1.2.17 without exception. The systems we deliver are therefore not affected by this vulnerability.
Audit result for vulnerability CVE-2021-4104
A second, similar problem has become known. The company Red Hat recently published a moderately severe vulnerability in Log4J CVE-2021-4104. This problem basically affects the versions we use. However, this requires the use of a certain class: org.apache.log4j.net.JMSAppender. This class is not used by qualitype GmbH. In addition, this class no longer works in the current application server Wildfly (formerly JBoss). It can thus be ruled out that the systems supplied by us contain this error.
Should further vulnerabilities in connection with Log4J become known, we will of course inform you immediately about the risk in the systems delivered by us. In the interest of our customers, we place the highest value on the reliability of our solutions.
Should you have any further questions, please do not hesitate to contact us.