Statement on Log4J Vulnerability from Videstra

by Dan Desjardins – CTO Videstra, LLC

Summary:

Videstra Windows-based and Linux-based products are not impacted by the Log4J vulnerabilities. For more information please read on…

Explanation

Videstra Windows client and server software do not use or deploy any code that utilizes the Log4J libraries. No Java libraries are used. All code is native MS DotNet, which is subject to all standard Microsoft updates which we allow on our server, as well as any client computers on which our software may be deployed.

Videstra uses select third party packages, most notably for support including TeamViewer™ QS session, which does not employ the Log4J libraries on either the client or server side. Some TeamViewer products were impacted, but it is important to know that they are not used by Videstra and TeamViewer has already patched vulnerabilities without requiring any client-side updates.

All of our software is scanned using ESET NOD32 prior to deployment and testing within our facility. ESET has been scanning for this particular vulnerability since December 11, 2021. It is important to know that none of Videstra’s Windows products use Log4J or any java libraries (see below for our V-Streamer Decoder based on Ubuntu 18.04 LTS).

Below is a list of third-party applications typically installed on our V-Manager server and the status for each with regard to Log4J.

  • VLC – not present
  • Putty – not present
  • WinSCP – not present
  • RestartOnCrash – not present
  • FFMPEG – not present
  • ImageGlass – not present
  • TeamViewer QS – not present

Since Version 2.2 of Videstra V-Manager the TeamViewer QS client automatically checks for updates nightly and takes a newer version from our server at Videstra.com if one is available. This is not done in response to Log4J, but is done to make sure the latest, tested version of TeamViewer QS runs on the V-Manager.

On our V-Streamer® (the H.264 decoder) Log4J is not present. For the REST and WEB services Lighttpd™ is used, not Apache, which is known to use Log4J. Lighttpd does not use Log4J.

The V-Streamer runs on Ubuntu Linux OS, version 18.04 LTS, and is developed using C++. It uses REACT for development of the web interface (which is exposed through Lighttpd) and is Java based. Logging is only done from the C++ side and Log4J is not explicitly installed on the V-Streamer.

Finally, Videstra scanned the V-Streamer for any instance of Log4J and found that our installation and updates do not install it, and never have.

I hope this provides you with the statement you require and the confidence that we take security seriously.