Statement regarding recent security related events in Java applications
Towards the end of last week, a very critical vulnerability was found in a commonly used Java library (Log4J). This vulnerability (named Log4Shell sometimes) could result in the execution of remote code in some cases.
Considering that Via and Tramola are written in Java, we received inquiries from concerned customers related to the security of those products, which we want to address in open for everybody:
Via currently uses Log4J 1.2.17, which is older than the vulnerable Log4J 2.x and is thus not affected. You can continue to use your existing version of Via.
UPDATE 2022-02-11: The newly released Via 22.1 now uses Log4J 2.17.1, just to be on the safe side.
Tramola (currently still in beta) used a vulnerable version of Log4J, and being a Web application, is at high risk. Over the last few days, we’ve updated Tramola to use the fixed version of Log4J 2.16.0 to mitigate the problem (the first update was to Log4J 2.15.0, and a second update upgraded Log4J to 2.16.0). This fixed version is available to all current beta testers at the download location communicated to them. If you are a current beta-tester of Tramola, please update as soon as possible.
UPDATE 2021-12-18: We’ve just published Tramola Beta 21.0.4 which includes Log4J 2.17.0.
UPDATE 2022-01-05: We’ve just published Tramola Beta 21.0.5 which includes Log4J 2.17.1.