Securosys News and Media Releases

Security advisory Log4J – Securosys products and services not affected

Written by Marcel Dasen | Dec 14, 2021

A critical vulnerability (CVE-2021-44228) has recently been discovered in a widely used software framework Apache Log4j. Securosys products and services are free of the framework by Apache Log4j and, therefore, not affected by this vulnerability.  

This security alert addresses CVE-2021-44228, a vulnerability in Apache Log4j that allows remote code execution. The vulnerability allows unauthenticated, remote code execution and is triggered when a specially crafted string provided by the attacker via various input vectors is parsed and processed by the vulnerable Log4j component. 

The vulnerability has been rated highly critical (warning level red) by BSI: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf

The Apache Log4j framework is not used in any Securosys products and services. Primus HSM, Securosys CloudsHSM, Securosys 365, Imunes TEE, and Centurion encryptors are thus not affected. Local software components such as PKCS#11, MS CNG, and JCE APIs, as well as the Transaction Security Broker (TSB) and REST API are also not affected.