BlueRange not affected by log4j/log4shell gap

Be safe with BlueRange

For the critical vulnerability in log4j (CVE-2021-44228), an increase of warning level to red was declared by the German Federal Office for Information Security (BSI) on December 12, 2021. You can read more about this in the official BSI statement.

Immediate testing on the BlueRange system ensured that BlueRange is not affected by the vulnerability. TCPDUMP for checking network connections Learn more: https://www.huntress.com/blog/critical-rce-vulnerability-log4j-cve-2021-44228 BlueRange is not based on the affected “log4j” framework, but uses Logback. See Log4J2 Vulnerability and Spring Boot

Unused libraries will be removed with the next version

BlueRange uses support for Splunk (splunk-library-javalogging). The framework brings log4j-core in version < 2.15.0. However, BlueRange does not use the affected framework. Therefore, the reported vulnerability cannot be exploited in our system. Nevertheless, an optimization was performed on BlueRange, in which the unused library log4j-core is completely removed. The software update will be available with the next BlueRange Server version 5.8 next week at the latest. The new version of BlueRange will contain a multitude of functions as well as optimizations and improvements. For this reason, we recommend a prompt update to the current version after the release.