Open-Xchange Statement on log4j vulnerability CVE-2021-44228

On Friday December 10th, Open-Xchange and many others became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in numerous systems around the internet. We have analyzed the impact on OX App Suite and OX Cloud in great detail and conclude that it is not susceptible to this vulnerability. We use SLF4j as a logging frontend and Logback as a logging backend since version 7.4.2. Those do not share code with log4j-core and based on current knowledge are not vulnerable to CVE-2021-44228 aka. "Log4Shell". For technical details, see:

Your operational environment may however use other services that are vulnerable and could affect overall system security. We strongly suggest performing analysis and implement mitigations which have been publicly communicated by the log4j team and affected vendors.

In the wake of the CVE-2021-44228 "Log4Shell" vulnerability, the Logback project has identified a vulnerability that is similar at first sight, even though the likelihood of successful exploitation is minimal. It is being tracked as

OX App Suite and OX Cloud use Logback and are theoretically impacted by LOGBACK-1591. We have started the process to provide updates for affected and supported versions as a precaution. It is however critical to understand that this vulnerability can only be abused if the default configuration got altered AND an adversary has privileged access to the system running OX App Suite. In that scenario, the service would already be compromised even before exploiting LOGBACK-1591.

Our default configuration is not impacted and based on current knowledge, there is no need to implement mitigations, other than making sure no unauthorized changes are performed to the configuration. For more technical details, please see: