Statement on Log4J Vulnerability from Videstra

posted in: News | 0

 

 

From: Dan Desjardins – CTO Videstra LLC |

 

Summary:

Videstra Windows based and Linux based products are not impacted by the Log4J vulnerabilities.  For more information please read on…

 

 

 

Explanation

Our Windows client and server software do not use or deploy any code that utilizes the Log4j libraries.  We, in fact, use no Java libraries at all.  All of our code is native MS DotNet which is subject to all standard Microsoft updates which we allow on our server as well as any client computers on which our software may be deployed.

We use a couple of third party packages, most notably for support.  We use TeamViewer™ QS session which also do not employ the Log4J libraries on either the client or server side.  Some TeamViewer products were impacted, but it is important to know that they are not used in any way by Videstra and TeamViewer has already patched those without requiring any client-side updates.

All of our software is scanned using ESET NOD32 prior to deployment (or even for testing within our facility).  ESET has been scanning for this particular vulnerability since 11 Dec – but it is important to know that none of our Windows products use Log4j or any java libraries for that matter (see below for our V-Streamer Decoder based on Ubuntu 18.04 LTS).

Below is a list of 3rd party applications we typically install on our V-Manager server and the status for each with regard to Log4J

  • VLC – Not Present
  • Putty – Not Present
  • WinSCP – Not Present
  • RestartOnCrash – Not Present
  • FFMPEG – Not Present
  • ImageGlass – Not Present
  • TeamViewer QS – Not Present

One other note with regard to TeamViewer.  Since Version 2.2 of our V-Manager the TeamViewer QS client checks for updates nightly and automatically takes a newer version from our server at Videstra.com if it has been provided.  This was not done in response to Log4j, but was done to make sure the latest, tested version of TeamViewer QS runs on the V-Manager.

On our V-Streamer® (the h.264 decoder) no Log4J is present.  For the REST and WEB services we use Lighttpd™ rather than Apache (which is known to use Log4j).  Lighttpd does not employ Log4J.

The V-Streamer runs on the Ubuntu Linux based OS – Version 18.04 LTS and is developed using C++ but also uses REACT for development of the Web Interface (which is exposed through Lighttpd) and it is Java based, however logging is only done from the C++ side and Log4J is not explicitly installed on the V-Streamer.

Finally – we have scanned the V-Streamer for any instance of Log4j and find that our installation and updates do not install it and never have.

I hope this provides you with the statement you require and the confidence that we do take security seriously.