log4j news image

Be safe with BlueRange

For the critical vulnerability in log4j (CVE-2021-44228), an increase of warning level to red was declared by the German Federal Office for Information Security (BSI) on December 12, 2021. You can read more about this in the official BSI statement

Immediate testing on the BlueRange system ensured that BlueRange is not affected by the vulnerability.

BlueRange is not based on the affected "log4j" framework, but uses Logback. See Log4J2 Vulnerability and Spring Boot

Unused libraries will be removed with the next version

BlueRange uses support for Splunk (splunk-library-javalogging). The framework brings log4j-core in version < 2.15.0. However, BlueRange does not use the affected framework. Therefore, the reported vulnerability cannot be exploited in our system. Nevertheless, an optimization was performed on BlueRange, in which the unused library log4j-core is completely removed. The software update will be available with the next BlueRange Server version 5.8 next week at the latest. The new version of BlueRange will contain a multitude of functions as well as optimizations and improvements. For this reason, we recommend a prompt update to the current version after the release.