Products from SSH Communications Security are NOT AFFECTED by the critical CVE-2021-44228 Remote Code Execution vulnerability of Apache Log4j2 Java library or the related CVE-2021-45046 and CVE-2021-45105 Context Lookup vulnerabilities.
The following products in Secure e-communications Suite (former Deltagon products) have Log4j version 1.x package dependancy if they have been installed on Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6:
The Log4j version 1.x vulnerabilities CVE-2021-4104 and CVE-2019-17571 are not exploitable in these Secure e-communications Suite products, and further the components that use Log4j version 1.x are confined to chroot.
While Tectia ConnectSecure JAVA SDK itself does not use Log4j, any customers who have implemented a JAVA application with Tectia ConnectSecure JAVA SDK are advised to verify their own implementation and 3rd party dependencies.
SSH Communication Security also recommends every customer to upgrade their operating systems with the latest security fixes.
Log4j version 2.x https://logging.apache.org/log4j/2.x/ users are advised to update to the latest Log4j version (2.17.0).