My application does not use the Log4J. Neither does it use Java (it uses JavaScript but it is a different animal).
The application is built on and uses the .NET framework.
>That's not my understanding:
https://en.wikipedia.org/wiki/Log4Shell>
>As I read it, you are vulnerable if:
>
>- your device runs Java and includes a vulnerable version of the Log4J framework for logging
>- your device can receive unsanitized requests which get logged by Log4J
>
>An attacker can thereby execute arbitrary commands in the context of the Log4J process running on the target device.
>
>Log4J is maintained by the Apache Software Foundation but this vulnerability is not limited to Apache servers running Java. It's basically Java-wide if Log4J is in use and can be reached by an attacker.
>
>>The problem exists in one component that is used by some Apache servers. Unless your app uses an Apache server, you have no exposure -- from what I've read.
>>
>>"Application X does not in any way use the affected component which causes the security vulnerability."
>>
>>>Hi,
>>>
>>>Today I receive an email from one of my customers which uses my ASP.NET application. This is the content of their email:
>>>
>>>In recent days, there have been multiple security advisories from Homeland Security (https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) and considerable media
>>>coverage of the Log4j vulnerability. This flaw, disclosed by Apache last week, allows attackers to
>>>execute code remotely on a target computer, enabling the attacker to steal data, install malware or take
>>>control of the target system.
>>>
>>>As a partner of Organization Name, we are requesting that you provide information related to the
>>>information related to [insert application (s)]. Please advise the following:
>>>
>>>• Any public statement your organization has made related to this vulnerability and/or
>>>• Specify any updates required at this time to [insert application] to remediate exposure to the Log4j vulnerability
>>>• Notify Organization Name immediately of any change in status in the coming weeks related to further updates needed
>>>
>>>
>>>Of course, I am not going to make any public statement.
>>>
>>>But it is not clear if my application has an exposure to the Log4j (which I know nothing about) or
>>>this is just a generic email they sent to all vendors?
>>>
>>>What do you think?
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham