Security Advisory: Apache Log4J Vulnerability


Related CVE References: 2021-44228

Priority: Critical

DrayTek Product Affected: None

Action Required: None

In December 2021, a very serious vulnerability was discovered in an Apache library called Log4J.  This library is widely used in servers and notably many CPE (routers) which are Linux based and you may have read about it as being a 'router vulnerability - that is why we are issuing this advisory even though none of our products are affected or vulnerable - to put your mind at rest but also, due to the severity of the vulnerability, to warn you to check other products - Log4J is widely used by hardware and software/server products.

DrayTek routers mostly use DrayOS (our proprietary closed OS) or a hybrid OS and none of our models include the affected library.   

None of our software products use Log4J core or have it running so are not vulnerable to the exploits. 

Any updates or changes in the situation will be posted here.

Update Mailing List (UK/Ireland)

UK/Ireland  users  should  subscribe  to our mailing-list in order to receive  timely  notifications  of  firmware  or critical updates like this and as a general rule of best practice, always keep all of your products firmware up to date and check for updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.

Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk).  Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.