The German Federal Office for Information Security has scored a vulnerability in the Java library “log4j” as critical (NVD entry).
Vulnerability Status from Accellence
Our Video Management Solutions (vimacc, vimacc OA & EBÜS) themselves not using Java and either not the Java library log4j. The commonly used FileZilla FTP server is also not using any Java1.
But we can’t exclude either that any software provided by other suppliers, or additionally being installed on your systems is using log4j. An international maintained list of known vulnerable and not vulnerable software is available here: https://github.com/NCSC-NL/log4shell/tree/main/software.
Suggested Actions for EBÜS
Search on your system for files with the filter log4j*. This gives you indications if this library is in use on your system. If you do need to connect to such systems in your ARC, you could delete the regarding log4j*.jar files without any risk.
We will provide an Update of the EBÜS-Setup in the near future, which automatically removes log4j at the places of integrated SDKs identified by us. Generally you should take care, only to open such network ports on the firewall, which are trustworthy and connect only approved software service to them – e.g. you know, that reliable information available that log4j is not used by them.
Please keep you constantly updated by the information of the official authorities and the information on our website.
In any case of additional questions or required information do not hesitate to get in contact with us.
1 https://forum.filezilla-project.org/viewtopic.php?f=6&t=54338