[Gpg4win-users-en] No Java -> Gpg4win immune against any Apache Log4j Vulnerabilities

Bernhard Reiter bernhard at intevation.de
Fri Dec 17 12:29:08 CET 2021


Gpg4win and the components coming with it, including the installer,
do _not_ use Java.

So we believe Gpg4win to be immune against any vulnerabilities
in the Java logging library Apache Log4j.

A number of vulnerabilities in the popular logging library
for Java applications have let to an IT emergency
as they are considered a 10.0/10 "critical" CVSS 3 
remote exploitable, remote execution defect.

In the wide assessment of IT security, we are getting a few
general questions about the use of this library.
As Gpg4win does not use it, we are fine.

Best Regards

CVE-2021-44228 CVE-2021-45046
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20211217/71ffac62/attachment.sig>

More information about the Gpg4win-users-en mailing list