Leostream would like to reassure our customers that their Leostream environment is not subject to the Apache Log4j 2 "Log4Shell" vulnerability
- The Leostream Connection Broker, Leostream Agent for Windows, Leostream Connect client for Windows, and Leostream License Server do not have Java dependencies.
- The Linux/macOS versions of the Leostream Agent and Leostream Connect client do have Java dependencies, however they do not use the Log4j package.
- The Leostream Gateway does depend on packages that include Log4j. However, the Leostream Gateway includes a version of the Log4j package that is unaffected by this exploit.
To learn more about the vulnerability, please see: https://logging.apache.org/
EDIT: The Leostream Gateway utilizes Apache Guacamole for the HTML5 viewer, which installs an older version of the log4j package. Apache has confirmed that this log4j package is not used for Guacamole.
JIRA posting: https://issues.apache.org/
Apache affected products: https://blogs.apache.org/security/entry/cve-2021-44228