RealObjects is actively responding to the reported remote code execution vulnerability CVE-2021-44228 in the Apache Log4j 2 Java library aka “Log4Shell” (https://www.lunasec.io/docs/blog/log4j-zero-day/). We are investigating and analyzing if and how our products and services may be impacted by this vulnerability.
So far, we do not believe our current products are vulnerable to exploitation in their default shipping configuration. The Log4j library is not shipped with PDFreactor and the Log4j library is not a required dependency. Our own code does not use Log4j at all. In addition neither the PDFreactor Web Service nor the official PDFreactor Docker image contain Log4j.
However, at this time we can’t rule out that third-party libraries we use in PDFreactor might make use of the Log4j library if it can be found in the Java classpath. So if you have Log4j in the Java classpath of your PDFreactor instance, you must make sure to take the necessary steps described at https://logging.apache.org/log4j/2.x/security.html to mitigate the potential risk.
We will continue to monitor and investigate this issue and update this information as needed.