Log4Shell vulnerability - peaq products not affected

The recently revealed security vulnerability Log4Shell (CVE-2021-44228) has drawn a lot of attention and scrutiny from IT departments, trying to investigate to what extent their organisation is exposed. peaq has also received numerous inquiries regarding the vulnerability of IOportal and SAM4H.

We would like to inform our customers and partners that none of our products are written in Java and also none of them are using Apache. Thanks to these facts, our products are not affected by the CVE-2021-44228 Log4Shell vulnerability.

The only third party dependency in software that is written in Java is Elasticsearch (used by SAM4H). But due to the fact, that Elasticsearch is using the Java Security Manager, it is not affected by Log4Shell: https://xeraa.net/ blog/2021_mitigate-log4j2-log4shell-elasticsearch/

In case you or your security department require further details, do not hesitate to contact us.

Your peaq team

Update 2022-09-11

SAM4H release 2.1.1 is shipped with Elasticsearch v7.17.6. According to the following Elasticsearch post, all Log4j-vulnerabilities should be fixed now: https://www.elastic.co/de/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2