Hello Martijn,
I found the following posting, that version 1.x may be affected,too, but in a different way (only LDAP based?):
Since the Pro version supports LDAP certificat lookups, could this be a problem?
Best wishes,
Stefan
···
-----Ursprüngliche Nachricht-----
Von: Martijn Brinkers via Users <users(a)lists.ciphermail.com>
Gesendet: Montag 13. Dezember 2021 8:34
An: users(a)lists.ciphermail.com
CC: ricky.boone(a)gmail.com; Martijn Brinkers <martijn(a)ciphermail.com>
Betreff: Re: Apache log4j vulnerability, CVE-2021-44228Hi Ricky,
CipherMail Gateway and Webmail Messenger are *not* vulnerable to
CVE-2021-44228 because an older version of log4j (1.2) is used which
does not contain the (vulnerable) lookup functionality.When we became aware, a few hours after the details were posted, that
log4j was exploitable, we analyzed the exploit and concluded that
CipherMail was not vulnerable.CipherMail uses version 1.2.15 of the log4j library. This version is
still widely deployed. It is true that version 1.x of log4j is no
longer supported, however we always analyze any impact of a published
exploit to see whether a CipherMail product is impacted or not. We are
not aware of any vulnerabilities in the default configuration of 1.x as
used by CipherMail.We will further analyze whether we upgrade to a newer version of log4j
or use a different logging library instead.Kind regards,
Martijn Brinkers
On Mon, 2021-12-13 at 02:42 +0000, ricky.boone--- via Users wrote:
> Apache log4j has a critical zero day vulnerability (CVSS score of
> 10), CVE-2021-44228.
>
> Log4j –
> NVD - CVE-2021-44228
> https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
>
> The vulnerability appears to impact log4j 2.x thru 2.15.0-rc1. Upon
> a cursory check, Ciphermail appears to use log4j 1.2.15, which while
> end of life and potentially vulnerable to other threats, shouldn't be
> vulnerable to this specific flaw. As a result, the mitigating
> controls may not be applicable or necessary.
>
> Thoughts, or discussion?
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger