Atmail’s software and hosting platforms are not vulnerable to the CVE-2021-44228 vulnerability, also known as ‘Log4Shell’ or ‘LogJam’ bug.
Atmail does not use the ‘log4j’ library in any binaries that it ships in its software. The Atmail Cloud does not deploy log4j in any components. Whilst the Atmail Cloud does use Cloud services from AWS that were vulnerable to Log4Shell, these are internal services that are not used, accessible or exposed to any end-users or the Internet as a whole and not . The Atmail Cloud is configured to automatically install all security related operating system and software updates as soon as they become available from our upstream vendors.
For on-premises Atmail customers, we encourage you to ensure you have applied all available security related updates from your operating system and software suppliers to ensure non-Atmail related components are fully up-to-date.
What is CVE-2021-44228?
Last week information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability.
Please reach out to the Atmail Support team if you have any more questions on this topic and how it relates to your service or installation.