[Gpg4win-users-en] No Java -> Gpg4win immune against any Apache Log4j Vulnerabilities
Bernhard Reiter
bernhard at intevation.de
Fri Dec 17 12:29:08 CET 2021
Hello,
Gpg4win and the components coming with it, including the installer,
do _not_ use Java.
So we believe Gpg4win to be immune against any vulnerabilities
in the Java logging library Apache Log4j.
Background:
A number of vulnerabilities in the popular logging library
for Java applications have let to an IT emergency
as they are considered a 10.0/10 "critical" CVSS 3
remote exploitable, remote execution defect.
In the wide assessment of IT security, we are getting a few
general questions about the use of this library.
As Gpg4win does not use it, we are fine.
Best Regards
Bernhard
Links:
CVE-2021-44228 CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://blogs.apache.org/foundation/entry/apache-log4j-cves
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20211217/71ffac62/attachment.sig>
More information about the Gpg4win-users-en
mailing list