A severe remote code execution (RCE) vulnerability in the open source Apache server logging framework Log4j2 has been discovered.
We would like you to know that the Dencrypt Communication Solution is not vulnerable and safe. No further actions are required.
Remember that the Dencrypt Communication Solution features End-2-End (E2E) encryption which mitigates any server related attacks.
Thus, the content of your messages and calls are kept confidential.
More background information:
- Article in Wired magazine: ‘The Internet Is on Fire’ (Wired)
- The legacy Dencrypt Message server deploys the Logs4j library for audit logs but there is no vulnerability because:
- The deployed Log4j library is version 1.2.17 but the vulnerability requires a version higher than 2.x also named Log4j2 versus Log4j for versions 1.x
- The Log4j is used for audit logs of the legacy server system, i.e. an end-user cannot inject an explicit text which mitigates the currently discussed vulnerability.
- The latest messaging server for Dencrypt Connex does not deploy Logs4j library at all.
- Link to CVE: CVE-Log4j2
Do not hesitate to contact us if you have any questions.