Log4j/log4shell CVE-2021-44228 and :cvb:

Due to the recent news coverage, the question has occasionally been raised whether or not :cvb: is affected by the log4j security vulnerability published in late 2021 as CVE-2021-44228.

Short answer: no :wink:

:cvb: has no contact with the Java runtime environment in general and with the Java component log4j in particular. Log4j was not used in the realisation of :cvb: and therefore :cvb: is not affected by the security vulnerability known as “log4shell”.

The 3rd party components used in the realisation of Common Vision Blox also do not use log4j. The open source C++ component log4cpp, a component of the GenApi reference implementation, only has a similar name, but is not based on the Java runtime environment, which would be necessary for a “log4shell” attack.