Impact of Log4j vulnerability on GFI

A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday, December 10. It is found in the Log4j Java library. 

Log4j is a popular open source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.

How are GFI products impacted?

The GFI development team is reviewing our products for use of Log4j.

A function of Kerio Connect utilizes Log4j, and a recommended mitigation is identified below.

If we identify any additional recommended mitigations, we will provide a follow up communication. Additional information, when available, will also be posted on this page.

Kerio Connect vulnerability mitigation

Log4j is used in Kerio Connect as part of the chat function. We recommend that all Kerio Connect users temporarily disable the chat function in the software.

To disable chat in Kerio Connect:

  1. Go to Configuration.
  2. Click on Domains.
  3. Double-click on the desired domain.
  4. Find the “Chat” section on the General tab.
  5. Deselect the “Enable chat in Kerio Connect Client.” option.
  6. Repeat the above steps for all of your email domains.

Kerio Connect security hotfix

Work has already started on a security hotfix for Kerio Connect. We intend to deliver a public release in the next few days.

We will send a follow-up notification to all Kerio Connect customers at your registered email when the release is available.