Hi,
is Bookmap in any way affected by the Log4j problem?
Regards
Gerald
Log4j problem
-
Svyatoslav
- Site Admin
- Posts: 278
- Joined: Mon Jun 11, 2018 11:44 am
- Has thanked: 2 times
- Been thanked: 31 times
Re: Log4j problem
Hi,
Well... Not in a very significant way. We did have some non-critical services that we had to update, but main app is affected in a pretty limited way.
Regardless, 7.2 and 7.3 updates with patched log4j are released. It's best to update to be safe, but chances that the practical way to exploit it inside bookmap desktop specifically exists are pretty low. Our main code does not use log4j directly, but some 3rd party libraries that we use do. All ways that we could imagine so far require at least two steps for the attack to actually make sense (e.g. possibly something like compromising a crypto exchange that user connects to and then provide a specially crafted reply, however it's not clear if the above would actually work or is just a theoretical possibility).
Still, it is probably best to just perform the update if you are worried.
Best,
Svyatoslav
Well... Not in a very significant way. We did have some non-critical services that we had to update, but main app is affected in a pretty limited way.
Regardless, 7.2 and 7.3 updates with patched log4j are released. It's best to update to be safe, but chances that the practical way to exploit it inside bookmap desktop specifically exists are pretty low. Our main code does not use log4j directly, but some 3rd party libraries that we use do. All ways that we could imagine so far require at least two steps for the attack to actually make sense (e.g. possibly something like compromising a crypto exchange that user connects to and then provide a specially crafted reply, however it's not clear if the above would actually work or is just a theoretical possibility).
Still, it is probably best to just perform the update if you are worried.
Best,
Svyatoslav
-
gerald_zottl
- Posts: 4
- Joined: Mon Oct 11, 2021 2:14 pm
- Has thanked: 1 time