Pleasant Password Server Products NOT Affected by CVE-2021-44228 Exploit
Regarding: CVE-2021-44228, CVE-2021-45046
Password Server does NOT use Apache Log4j and is NOT vulnerable to these attacks:
- Apache Log4j is a popular Java-based logging utility, which is part of the Apache Logging Services.
Password Server products do NOT use this component and we have checked thoroughly that they are unaffected by this exploit:
- Password Server
- KeePass for Pleasant
- Mac Client
- Mobile Clients (android/iOS)
- Password Safe Client
- Self-Serve Reset
- Auto-Fill (browser extension)
Pleasant Password Server components:
- Logging component:
- Password Server does not use Log4j. Instead it uses the nlog component for logging, which is based on .NET, not Java. This component is not affected by this same issue as Log4j.
- Java components:
- Password Server does not use Java, with the exception of android mobile.
- Password Server android mobile does not use the Log4j component, but may use other unaffected Java components
- Hosting components:
- Password Server is hosted on Windows with IISExpress (default) or IIS (recommended).
- Password Server is not hosted on Apache/Linux.
Update Pleasant Password Software
However, recent releases of Password Server include other important Pleasant Password Server Security Updates that require updating for other unrelated issues.
Download unrelated security patches (Stable / Latest):
Further Mitigation in Your Systems
If your organization uses this Apache Log4j product elsewhere, you should resolve by:
- Update immediately any copies of Log4j in your network:
-
to Apache Log4j version 2.16.0
-
- Look for any network files matching this:
-
log4j*.jar
-
-
More Details:
- Microsoft Response:
- Sophos Technical Explanation & Fix:
- CVE Database:
- US Vulnerability Database:
- Wikipedia: