Recently, the Log4j vulnerability was detected affecting millions of applications using Java as programming language.
More specifically, the vulnerability is caused by a problem in the Log4j logging library. It is used to log server activities or accesses on systems, for example "User X has accessed the system". During this process, the Log4j library tries to analyze such reports. Currently, it is likely that cybercriminals are using the Log4j vulnerability to hack into servers, execute arbitrary code and get unauthorized access to valuable personal data. In this case, they might take complete control of the system.
Which systems are affected?
Any application/system using the Log4j library.
Is Password Depot also affected?
No, Password Depot is NOT affected by the Log4j vulnerability. Therefore, we hereby confirm that none of our editions are vulnerable, that is:
- Windows standard and Corporate client
- Enterprise Server
as well as our web interface and the browser extension.
Java is only used for developing our Android app, however, we confirm that the Log4j library is not used. Other Password Depot applications do not use Java at all.
So, as far as Password Depot is concerned, we can reassure that no harm has been caused since the software is not affected by the Log4j vulnerability.
Nevertheless, please note the following:
In case you may have developed your own interface to Password Depot Enterprise Server using Java, your system might still be vulnerable. We therefore strongly recommend to check if your system is affected. If so or in case of doubt, please disable/deactivate all affected systems if you do not need them necessarily. Furthermore, an update of Log4j to the current version 2.15.0 has already been released and we recommend installing it.