Statement regarding recent security related events in Java applications
Towards the end of last week, a very critical vulnerability was found in a commonly used Java library (Log4J). This vulnerability (named Log4Shell sometimes) could result in the execution of remote code in some cases.
Considering that Via and Tramola are written in Java, we received inquiries from concerned customers related to the security of those products, which we want to address in open for everybody:
Via currently uses Log4J 1.2.17, which is older than the vulnerable Log4J 2.x and is thus not affected. You can continue to use your existing version of Via.
Tramola (currently still in beta) used a vulnerable version of Log4J, and being a Web application, is at high risk. Over the last few days, we’ve updated Tramola to use the fixed version of Log4J 2.16.0 to mitigate the problem (the first update was to Log4J 2.15.0, and a second update upgraded Log4J to 2.16.0). This fixed version is available to all current beta testers at the download location communicated to them. If you are a current beta-tester of Tramola, please update as soon as possible.
UPDATE 2021-12-18: We’ve just published Tramola Beta 21.0.4 which includes Log4J 2.17.0.