Log4j 2 "Log4Shell" Vulnerability Announcement

Posted almost 2 years ago by Vlad Trofimov

  • Topic is Locked
Vlad Trofimov
Vlad Trofimov Admin

Leostream would like to reassure our customers that their Leostream environment is not subject to the Apache Log4j 2 "Log4Shell" vulnerability


- The Leostream Connection Broker, Leostream Agent for Windows, Leostream Connect client for Windows, and Leostream License Server do not have Java dependencies.


- The Linux/macOS versions of the Leostream Agent and Leostream Connect client do have Java dependencies, however they do not use the Log4j package.


- The Leostream Gateway does depend on packages that include Log4j. However, the Leostream Gateway includes a version of the Log4j package that is unaffected by this exploit.
 
To learn more about the vulnerability, please see: https://logging.apache.org/log4j/2.x/security.html.  If you have further questions or concerns about your Leostream environment, please reach out to support@leostream.com.

2 Votes


1 Comments

Vlad Trofimov

Vlad Trofimov posted almost 2 years ago Admin

EDIT: The Leostream Gateway utilizes Apache Guacamole for the HTML5 viewer, which installs an older version of the log4j package. Apache has confirmed that this log4j package is not used for Guacamole.


JIRA posting:  https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1474?filter=allissues 
Apache affected products: https://blogs.apache.org/security/entry/cve-2021-44228

Guacamole logging:  https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging 

0 Votes