Last week, a critical vulnerability in the widely used logging library log4j 2 became known. The log4j versions included in the verinice.PRO server are not affected by the vulnerability!
The vulnerability is described in this article, among others: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package and has the CVS number CVE-2021-44228 erhalten.
For more information, see the article in our verinice forum: https://forum.verinice.com/t/verinice-nicht-betroffen-von-log4j-schwachstelle/
However, on a verinice.PRO system there may be other Java applications in Tomcat that have not been installed by the verinice team. Since these applications may contain affected log4j versions, the team recommends including a parameter in the Tomcat configuration that prevents exploitation of the vulnerability in other applications. Again, see our forum post for details: https://forum.verinice.com/t/verinice-nicht-betroffen-von-log4j-schwachstelle/
Feel free to contact our team if you have any further questions.
