News

Statement regarding security vulnerability in log4j

Berlin, Dec 13, 2021

We have extensively analyzed this issue and have concluded that no i-net software product is affected by the log4j vulnerability CVE-2021-44228. We have released a statement about the disclosed vulnerability on our FAQ website

Description

The vulnerability only affects Log4j versions 2.0 until 2.14.1 (see https://www.lunasec.io/docs/blog/log4j-zero-day/) - none of which were ever used by i-net software products in the first place. We did use version 1.2.17 starting 10/2015 until 05/2020 for minor functions without direct web parameter input.

Additionally, only Java versions earlier than (including) 8u191 and 11.0.1 are affected as per description. i-net software had to publish a security release in April 2020 which included the then current Java version 11.0.7 for all products that are shipped with a Java 11 VM - specifically: i-net HelpDesk 8.2.374 and newer, i-net PDFC 5.1 and newer, i-net Clear Reports 17.1 and newer. Earlier product versions from the April 2020 security release that include the Java 8 VM did ship 1.8.0_211 for Windows installers and 1.8.0.191 for macOS installers.

That means, that product releases newer than and including version 20.10 have no reference to log4j whatsoever. Versions prior to 20.10 are not affected due to a previous version of log4j being used - even though an affected Java VM may be used.

Advisory

Even though no products released by i-net software are directly affected by the disclosed critical RCE CVE-2021-44228 of Log4j it is advised to update to the latest released minor versions. Keeping your installations up-to-date with our latest supported major versions ensures that you benefit from our latest security patches.

For updated information about the on-going issue, please check out our FAQ website.

 

© Copyright 1996 - 2024, i-net software; All Rights Reserved.