Friday morning we were notified that Log4j, a popular Java logging library, contains a critical vulnerability that can result in Remote Code Execution (RCE) when a certain attacker-controlled message gets logged. As we use Log4j in CipherMail Gateway and Webmail Messenger, and the vulnerability appeared to be trivial to exploit, we immediately began analyzing whether our products were impacted. Later that morning we were quite confident that this was not the case. It turns out that the Log4j version in use by CipherMail products is not impacted by this vulnerability.
This means that CipherMail Gateway and Webmail Messenger are not vulnerable to CVE-2021-44228. However, the Log4j version used has been assigned another CVE ID around the same time for a less critical vulnerability that works much like the aforementioned: CVE-2021-4104. Because this version has not been supported for quite some time, we have decided to update the Log4j library in our products to the most recent version. This work is now almost finished and we will release updated packages soon.
It should be noted that, while the old Log4j library now contains multiple known vulnerabilities like CVE-2021-4104, we are confident that they pose no or very limited risk to users and customers of CipherMail products. This is due to mitigating factors in the CipherMail source code like certain configuration settings or the way in which the library is used. We too have been spooked somewhat by the Log4j vulnerability and are now prioritizing other library updates as well. This is a lot of work for some libraries, but if a Log4j-like vulnerability is discovered again that does impact CipherMail users and customers, we will be quick to update. Again: we are confident that CipherMail products are not impacted by any known vulnerabilities, but we are improving our preparedness to make sure that our overall security response will be adequate when needed.
If you have any questions or suggestions regarding the security of our products, please don't hesitate to contact us.
UPDATE December 15, 2021: added some background information and intentions on updating Log4j and other library versions that are no longer supported.