Log4Shell - Security issue: GENEREX - PRODUCTS ARE SAFE!
In the last few days, our customers ask whether GENEREX products are secured against "Log4Shell attacks" - Log4Shell is currently a well-known security issue for attacking networks. This article explains what is behind the attack and why GENEREX products are not affected.
What is the Log4Shell attack trying to do?
For this, one must roughly understand what the library "Log4J" actually does in the background:
Log4J is an elegant tool among logging applications. It can be used, for example, to record error messages from a given software in order to later trace the causes of problems. Logically, strings that originate from exactly this external application are also logged.
However, Log4J can do more than just log - under certain conditions, status parameters can also be interpreted and, if necessary, passed to the "Java Naming and Directory Interface", which in turn can also load and execute additional code from an external source.
In principle, the attack is about "foisting" one's own code on the target system in this way.
Why are GENEREX products safe?
1. the Log4J library must be used for Log4Shell to work.
2. No GENEREX product uses this library.
For this reason, a Log4Shell attack on GENEREX products is not possible at all.