Are i-net software products vulnerable against the critical RCE CVE-2021-44228 in Log4j, disclosed on 12/10/2021?
Answer
In short: products released by i-net software are not affected by the vulnerability.
Description
The vulnerability only affects Log4j versions 2.0 until 2.14.1 (see https://www.lunasec.io/docs/blog/log4j-zero-day/) - none of which were ever used by i-net software products in the first place. We did use version 1.2.17 starting 10/2015 until 05/2020 for minor functions without direct web parameter input.
Additionally, only Java versions earlier than 8u191
and 11.0.1
are affected as per description. i-net software had to publish a security release in April 2020 which included the then current Java version 11.0.7 for all products that are shipped with a Java 11 VM - specifically: i-net HelpDesk 8.2.374 and newer, i-net PDFC 5.1 and newer, i-net Clear Reports 17.1 and newer. Earlier product versions from the April 2020 security release that include the Java 8 VM did ship 1.8.0_211 for Windows installers and 1.8.0.191 for macOS installers.
That means, that product releases newer than and including version 20.10 have no reference to log4j whatsoever. Versions prior to 20.10 are not affected due to a previous version of Log4j being used - even though an affected Java VM may be used.
Advisory
Even though no products released by i-net software are directly affected by the disclosed critical RCE CVE-2021-44228 of Log4j it is advised to update to the latest released minor versions. Keeping your installations up-to-date with our latest supported major versions ensures that you benefit from our latest security patches.