Information about the log4j vulnerability (Log4shell)

Like many JAVA programs, ARTBUTLER PRO uses the log4j library to store program output such as internal error messages, but this is not a cause for concern as ARTBUTLER PRO is not affected by the vulnerability.

According to the BSI, "this critical vulnerability [...] thus potentially impacts all Java applications accessible from the internet that log parts of user requests with the help of log4j."[1]

The exploitation of the vulnerability requires that an attacker can directly make requests to ARTBUTLER PRO from the internet/network, but ARTBUTLER PRO does not provide this functionality in principle. In addition, an attacker would have to be able to influence the text stored by log4j, this is also not possible as there is no user input that is used directly in the log.

All functions of this library that are affected by the vulnerability are used to log programme events over a network - however, these functions are not used by ARTBUTLER PRO either, as all logs are stored directly on the computer on which ARTBUTLER PRO is installed.

The use of these functions is completely disabled by configuration and cannot be activated subsequently. The library itself is encapsulated in the programme, so that it is basically not available to other programmes either.

The ARTBUTLER SERVER does not use the log4j library.

[1] BSI: Kritische Schwachstelle in log4j, veröffentlicht (CVE-2021-44228) (in German)