Are i-net software products vulnerable against the critical RCE CVE-2021-44228 in Log4j, disclosed on 12/10/2021?
In short: products released by i-net software are not affected by the vulnerability.
The vulnerability only affects Log4j versions 2.0 until 2.14.1 (see https://www.lunasec.io/docs/blog/log4j-zero-day/) - none of which were ever used by i-net software products in the first place. We did use version 1.2.17 starting 10/2015 until 05/2020 for minor functions without direct web parameter input.
Additionally, only Java versions earlier than
11.0.1 are affected as per description. i-net software had to publish a security release in April 2020 which included the then current Java version 11.0.7 for all products that are shipped with a Java 11 VM - specifically: i-net HelpDesk 8.2.374 and newer, i-net PDFC 5.1 and newer, i-net Clear Reports 17.1 and newer. Earlier product versions from the April 2020 security release that include the Java 8 VM did ship 1.8.0_211 for Windows installers and 126.96.36.199 for macOS installers.
That means, that product releases newer than and including version 20.10 have no reference to log4j whatsoever. Versions prior to 20.10 are not affected due to a previous version of Log4j being used - even though an affected Java VM may be used.
Even though no products released by i-net software are directly affected by the disclosed critical RCE CVE-2021-44228 of Log4j it is advised to update to the latest released minor versions. Keeping your installations up-to-date with our latest supported major versions ensures that you benefit from our latest security patches.