Good point.
One way to test: create a new VM that doesn't have Java installed. Does your app run fully? If so, there are no hidden vulnerabilities.
If your app is hosted somewhere, then there's still a chance that other hosted apps are vulnerable, which in turn makes your app vulnerable.
The vendor that hosts the big app for my day job has done their due diligence, found 2 instances and taken care of them. They have been doing this for 21 years so they know the drill and did it.
Hank
>If that's true of your app
and all its dependencies you should not have anything to worry about. One of the main pain points of this situation is that Log4J is apparently a very common dependency.
>
>Re your original post: Companies are scrambling to determine if they're running vulnerable Log4J. Ultimately it's up to them to mitigate but they're trying to get help from vendors like you, even if it's just to rule your app out as a potential problem.
>
>You mainly want to avoid the situation where you tell them your app doesn't use Log4J, but it turns out it does, and someone gets hacked as a result.
>
>>My application does not use the Log4J. Neither does it use Java (it uses JavaScript but it is a different animal).
>>The application is built on and uses the .NET framework.
>>
>>>That's not my understanding:
https://en.wikipedia.org/wiki/Log4Shell>>>
>>>As I read it, you are vulnerable if:
>>>
>>>- your device runs Java and includes a vulnerable version of the Log4J framework for logging
>>>- your device can receive unsanitized requests which get logged by Log4J
>>>
>>>An attacker can thereby execute arbitrary commands in the context of the Log4J process running on the target device.
>>>
>>>Log4J is maintained by the Apache Software Foundation but this vulnerability is not limited to Apache servers running Java. It's basically Java-wide if Log4J is in use and can be reached by an attacker.
>>>
>>>>The problem exists in one component that is used by some Apache servers. Unless your app uses an Apache server, you have no exposure -- from what I've read.
>>>>
>>>>"Application X does not in any way use the affected component which causes the security vulnerability."
>>>>
>>>>>Hi,
>>>>>
>>>>>Today I receive an email from one of my customers which uses my ASP.NET application. This is the content of their email:
>>>>>
>>>>>In recent days, there have been multiple security advisories from Homeland Security (https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) and considerable media
>>>>>coverage of the Log4j vulnerability. This flaw, disclosed by Apache last week, allows attackers to
>>>>>execute code remotely on a target computer, enabling the attacker to steal data, install malware or take
>>>>>control of the target system.
>>>>>
>>>>>As a partner of Organization Name, we are requesting that you provide information related to the
>>>>>information related to [insert application (s)]. Please advise the following:
>>>>>
>>>>>• Any public statement your organization has made related to this vulnerability and/or
>>>>>• Specify any updates required at this time to [insert application] to remediate exposure to the Log4j vulnerability
>>>>>• Notify Organization Name immediately of any change in status in the coming weeks related to further updates needed
>>>>>
>>>>>
>>>>>Of course, I am not going to make any public statement.
>>>>>
>>>>>But it is not clear if my application has an exposure to the Log4j (which I know nothing about) or
>>>>>this is just a generic email they sent to all vendors?
>>>>>
>>>>>What do you think?
