UPDATE (Dec 20th, 2021): Again another update has been released, NoTouch Center 4.5.246 with log4j 2.17.0 that also addresses CVE-2021-45105. We will continue to monitor log4j and follow their updates in an extremely timely manner.
UPDATE (Dec 15th, 2021): Another update has been released, NoTouch Center 4.5.233 with log4j 2.16.0 that also addresses CVE-2021-45046, which is way less bad and only applies in specific non-standard configurations. Nevertheless, we suggest to update.
A new security flaw is all over the news – “log4shell” (CVE-2021-44228), affecting (not only) Internet giants like Twitter and Apple. The culprit is a certain line of code in the Apache log4j package, an open source Java logging utility that is widely used. NoTouch Center 4.5.231, released December 11, 2021 and future versions contain log4j 2.15.0 (or newer), the updated version that is definitely not susceptible. When used in a properly up-to-date Stratodesk Virtual Appliance, it seems that the actual, malicious Remote Code Execution is not possible because the used Java version 11.0.x has that disabled by default. Nevertheless, Stratodesk strongly recommends to update to NoTouch Center 4.5.231.
NoTouch OS does not use log4j at all; furthermore a Virtual Appliance in Cloud Xtension mode also doesn’t use log4j.
A quick mitigation is to update the Virtual Appliance to 1.0-657 as it will use a mitigation technique based on the log4j.formatMsgNoLookups=true setting. In other words, if you don’t want to update NoTouch Center right away, please ensure you are running 1.0-657 as per Updating the Virtual Appliance Software (KB) – this is quick and painless and available regardless of subscription status.