[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gpg4win-users-en
Subject:    [Gpg4win-users-en] No Java -> Gpg4win immune against any Apache Log4j Vulnerabilities
From:       Bernhard Reiter <bernhard () intevation ! de>
Date:       2021-12-17 11:29:08
Message-ID: 202112171229.21248.bernhard () intevation ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hello,

Gpg4win and the components coming with it, including the installer,
do _not_ use Java.

So we believe Gpg4win to be immune against any vulnerabilities
in the Java logging library Apache Log4j.

Background:
A number of vulnerabilities in the popular logging library
for Java applications have let to an IT emergency
as they are considered a 10.0/10 "critical" CVSS 3 
remote exploitable, remote execution defect.

In the wide assessment of IT security, we are getting a few
general questions about the use of this library.
As Gpg4win does not use it, we are fine.

Best Regards
Bernhard

Links:
CVE-2021-44228 CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://blogs.apache.org/foundation/entry/apache-log4j-cves
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]

_______________________________________________
Gpg4win-users-en mailing list
Gpg4win-users-en@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en

[prev in list] [next in list] [prev in thread] [next in thread]