SUMMARY I work for the regional government "Region Kronoberg" (www.kronoberg.se) and in our healthcare organisation we your program KDenlive version 21.04.3 . Recently it became known that there is a vulnerability in the framework for JAVA called Apache Log4j. JAVA. Log4J is a log management framework that can be used in JAVA. We now examining all systems and software used in our organisation to see if these systems / software use Log4j. I would appriciate if the following questions can be answered: - Does your product Kdenlive version 21.04.3 contain the Log4J framework? - Is your product vulnerable to CVE-2021-44228? More information is available at: NVD - CVE-2021-44228 (nist.gov) If the answer on one of these questions is "Yes" answer even the following questions: - how do you intend to deal with the vulnerability? - How should we act as a user? - If there is no resolution availble at this moment WHEN is will a resolution be released and WHAT do you suggest we do in the meantime? Since this is a serious vulnerability I hope to get an answer very soon. With kind regards, Danny Zwaard SOFTWARE/OS VERSIONS Windows: 10 (Version 10.0.18363.2037)
Hello, No worry we don't use java, so no vulnerability to log4j. It's true we don't have manpower to track CVE for all the dependencies we rely on when building our binaries in KDE Craft (eg Qt, FFmpeg...)
Our IT dept was not fully satisfied with the answer given. According to them there is a risk that Java is used embedded in other programming languages and therefore a possiblilty that Log4j is used somewhere embedded. They would like to get a statement that Kdenlive version 21.04.3 is NOT affected by vurnerabilities in Log4j (CVE-2021-44228). Can you confirm this statement?