Garching, December 15th, 2021

ATIX AG has confirmed that orcharhino 5.10 and the upcoming orcharhino 5.11 release are not affected by the log4j vulnerability.
Neither orcharhino Server, orcharhino Proxy, nor any plugins provided by ATIX are affected by the remote code execution vulnerability.

On December 9th 2021, a critical security vulnerability CVE-2021-44228 in Apache Log4j with a CVSS severity level 10 out of 10 has been reported.
It is a remote code execution vulnerability, which means that if an attacker exploits it on a vulnerable host, they can execute arbitrary code and potentially take control of the system.

According to the project website, “Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints”.
If you are using it in your own projects, you should update Apache Log4j to 2.16+ as soon as possible.

If you have any further questions, feel free to reach out to us.

Sources:

• CVSS Score 10/10
• Apache Log4j Security Vulnerabilities