Back to Community Threads
2
log4j exploit - Anything to worry about in SmarterMail
Question asked by Rod Strumbel - 12/13/2021 at 1:05 PM
Answered
log4j exploit - Anything to worry about in SmarterMail

5 Replies

Reply to Thread
3
Matt Petty Replied
12/13/2021 at 1:17 PM
Employee Post
I think we we're going to send out a newsletter or email to customers here soon. But long and short of it is, your SmarterMail instance is safe, our environment here @ ST is safe, and as long as you've gone through your environment checking for log4j references hopefully the rest of your environment is safe too. Certainly been an interesting morning for Sys Admins all around I'm sure based on all the message boards and articles I'm seeing.
Good luck!  


EDIT/MORE INFO: We're based on .net and all of our tooling related to SM uses .net, log4j is a java-based library/utility related to logging used in many JAVA projects. Again, we're C#/.NET and we do not use this. We've also checked our backend systems here and verified we aren't using anything that's vulnerable
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
echoDreamz Replied
12/13/2021 at 4:36 PM
Thankfully nothing in our environment needed touching, +1 for not using anything Java :)
0
George To Replied
12/17/2021 at 8:34 PM
How about its related components?

How about Cyren Anti-Virus , and Cyren Antispam.

I believe ClamAV (c++), Spamassassin (perl) are unrelated.
2
echoDreamz Replied
12/18/2021 at 10:07 PM
SmarterMail and it's components do not use Java at all.
0
Employee Replied
12/22/2021 at 3:25 PM
Employee Post Marked As Answer
Hi all, 

As Matt and echoDreamz mentioned, the Log4j exploit DOES NOT have any effect on any SmarterTools software or services/infrastructure. Our applications are built using the .NET framework, so we do not use Log4j or any Java at all. In addition, we host all applications on Windows and we do not have Java installed on any of our servers, and none of the components or other software we use are Java based.

That said, if you are in charge of any Apache/Linux servers, or even if you have Java installed on a desktop or laptop (Windows or Linux), you may want to make sure your systems are fully patched. Below are a few links with more information on the exploit:

https://www.lunasec.io/docs/blog/log4j-zero-day/ 
https://www.wired.com/story/log4j-flaw-hacking-internet/ 
https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/ 

Happy holidays! 
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Migrating SmarterMail to LinuxSmarterMail > Server Configuration and Management
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
Unexpected Sync Behavior with Outlook and IMAPSmarterMail > Troubleshooting