Note about the critical vulnerability CVE-2021-44228

CVE-2021-44228 is related to a critical vulnerability of Apache’s Log4j logging component that could allow attackers to execute arbitrary code on affected systems.

Tapkey’s production systems are not affected by CVE-2021-44228.

The Tapkey Trust Service doesn’t use Log4j in any way and therefore isn’t affected by the vulnerability.

The Tapkey Mobile SDK and the Tapkey App do use the Java language but don’t use Log4j. Moreover, the targeted operating systems (Android and iOS) don’t support JNDI, which would be required to exploit the vulnerability.

The Tapkey Lock SDK isn’t affected, because it doesn’t use Log4j or the JVM in any way.

That said, we did identify one non-production component that references a vulnerable version of Log4j. We do host some example code for Java developers on GitHub, which can be found here.

The code uses spring-boot in a version that references a vulnerable version of Log4j. This sample code isn’t directly affected by the vulnerability by default, because even though it references Log4j, it is not configured to use it. However, we updated the sample to make sure a fixed version of Log4j is being referenced. Customers that use our Java example code as a basis for their own components are suggested to update their code accordingly.

References: CVE-2021-44228 Detail