Published on December 17, 2021.

Log4j Vulnerability

We are getting requests from our customers who are concerned about the so-called Log4j vulnerability.
 
Log4j is an open source, Java-based Apache logging framework which can be used to record and document messages created by software applications. The recently discovered vulnerabilities (CVE-2021-44228 and CVE-2021-45046) affect several Log4j 2.X versions and allow remote code extraction due to erroneous handling of JNDI constructs. See https://logging.apache.org/log4j/2.x/index.html for more information. 
 
We have performed a dependency analysis for BTC EmbeddedPlatform. BTC EmbeddedPlatform is not using Log4j as a logging mechanism.
 
Although Log4j is not used, a non-affected Log4j 1.x version (see https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046) is part of the BTC EmbeddedPlatform installation via the underlying Eclipse framework.  
 
Therefore, we can confirm, that none of our BTC EmbeddedPlatform Releases are affected by CVE-2021-44228 and CVE-2021-45046.