By Dr. Juan Miguel Cejuela — 🤲 this story’s open link
Last update: 2021–12–19
We have worked with a high priority on evaluating all the details for the tagtog software regarding the worldwide CVE-2021–44228 vulnerability (“Log4jShell”). Please read here our response.
In short:
As of today’s status, the tagtog software was not affected by the Log4jShell vulnerability.
More info:
As you might know, tagtog OnPremises is based on multiple services, packaged and run as docker containers.
The tagtog software uses 9 docker images:
> 8 of our tagtog docker images either do not package any log4j library or otherwise use a non-affected log4j version. That includes our main docker image, the webapp.
> 1 docker image (“tagtog_index”) packages a susceptible log4j library version. But the scope functionality of this docker image is minimal. Most importantly, no user’s information nor input is logged in here. Thus, there is no possible vulnerability. Moreover, as of today’s status, tagtog is not affected by CVE-2021–45046 either.
Our measures:
As described, tagtog is not affected by the Log4jShell vulnerability. Regardless of that, tagtog is committed to security. To be extra cautious, we released promptly a new tagtog version (2021–12–19), which added by default the JVM parameter: `-Dlog4j2.formatMsgNoLookups=true` to the aforementioned “tagtog_index” image.
If you are a tagtog OnPremises client, 👉 you can now update your tagtog version.
We appreciate that our teams support each other in realizing high-security standards.
The tagtog team and I are gladly at your disposal for any further questions and information.