Products from SSH Communications Security are NOT AFFECTED by the critical CVE-2021-44228 Remote Code Execution vulnerability of Apache Log4j2 Java library or the related CVE-2021-45046 and CVE-2021-45105 Context Lookup vulnerabilities.
SSH.COM products that do not use Log4j
- PrivX
- NQX
- Tectia Client/Server/ConnectSecure
- Tectia SSH Server for z/OS
- Universal SSH Key Manager
- CryptoAuditor
- SSH Tectia Manager
- Sec@GW (Secure e-communications Suite) when installed on Red Hat Enterprise Linux 8.
- secureForms (Secure e-communications Suite)
Confined use of Log4j version 1.x
The following products in Secure e-communications Suite (former Deltagon products) have Log4j version 1.x package dependancy if they have been installed on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6:
- collabRoom (Secure e-communications Suite)
- secSigned (Secure e-communications Suite)
- Sec@GW (Secure e-communications Suite), used only in rare, non-default configuration.
The Log4j version 1.x vulnerabilities CVE-2021-4104 and CVE-2019-17571 are not exploitable in these Secure e-communications Suite products, and further the components that use Log4j version 1.x are confined to chroot.
Recommendations
While Tectia ConnectSecure JAVA SDK itself does not use Log4j, any customers who have implemented a JAVA application with Tectia ConnectSecure JAVA SDK are advised to verify their own implementation and 3rd party dependencies.
SSH Communication Security also recommends every customer to upgrade their operating systems with the latest security fixes.
Log4j version 2.x https://logging.apache.org/log4j/2.x/ users are advised to update to the latest Log4j version (2.17.0).
Miikka Sainio
Miikka guides the software architecture and development at SSH. He has over 20 years of experience in IT industry, building teams and developing products in startups and large enterprises.
