No log4j vulnerability here

[Staff 9971]

Hello!

We would like to inform you that we have never used the  Apache Logging Services and/or Java in general, so any Log4j vulnerability, CVE-2021-44228 included (overall CVSS score 10.0 - critical) doesn't affect AirVPN web site or anything related to AirVPN.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Kind regards and datalove
AirVPN Staff
 

[boblinthewild 1]

👍👍👍

[OpenSourcerer 1435]

I like this answer right here on the GitLab forums. Why should someone say they're not vulnerable if their product doesn't use it, or can't even use it due to the language?
It was a topic at my work as well. The amount of panic-inducing reactions from management was abysmal.

"But GitLab is not running on Java, it's Ruby."
"Just contact them and ask for confirmation."
"But it's not Java! The vulnerability is in a Java cl…"
"Are you so omniscient to know that it's unaffected? Get to it, contact me again when you have something official."

I'm slightly speechless. Why should I ask InfluxData whether their Go-written monitoring product uses a Java class? Why should I ask the vendor delivering a Python 3-based software? Why contact someone who wrote something for us in C#? Damn, management can be difficult…

[Staff 9971]

13 hours ago, OpenSourcerer said:

I like this answer right here on the GitLab forums. Why should someone say they're not vulnerable if their product doesn't use it, or can't even use it due to the language?

Hello!

In our case, to collectively answer many requests and mitigate the amount of future tickets about it.

Kind regards
 

[vroomvroom 0]

😂

On 12/14/2021 at 8:26 PM, OpenSourcerer said:

I like this answer right here on the GitLab forums.
It was a topic at my work as well. The amount of panic-inducing reactions from management was abysmal.

😂

That's what the function is of management, no ? Since they have zero technical skills they gotta make themself useful somehow.