- Joined
- Dec 10, 2021
- Messages
- 1
- Reaction score
- 1
I would say it is the wrong time to just believe jcostlow!I believe that plugin is only for Apache. 3CX uses nginx so it shouldn't be affected.
This is absolutely false information. Log4j has nothing to do with Apache httpd (web server).I believe that plugin is only for Apache. 3CX uses nginx so it shouldn't be affected.
Thank you very much for this official information.Hello all,
Thanks for raising concerns, let's clear this out: we are indeed not using any Java in the 3cx System and confirmed with our Product team that we have no dependencies with Log4j library so aren't affected by this vulnerability.
@Bucher Admin this means your 3cx HTTPS port was contacted by those IP addresses that are probably scanning for vulnerable hosts to hack but it's a dead end in our case.
Hi thanks for the "official" statement.Hello all,
Thanks for raising concerns, let's clear this out: we are indeed not using any Java in the 3cx System and confirmed with our Product team that we have no dependencies with Log4j library so aren't affected by this vulnerability.
@Bucher Admin this means your 3cx HTTPS port was contacted by those IP addresses that are probably scanning for vulnerable hosts to hack but it's a dead end in our case.
Good! thanks for the detailed info!@HiroNikuyama we've checked also the 3cx windows client, Desktop application, Android app, iOS app and they don't have any dependency to this library, so all are safe.
I'm not an expert but I believe this is so that Nlog can send and receive messages to a remote log4J application. Again, this is just a guess!I made some analysis today and found traces of log4j in the File /usr/lib/3cxpbx/NLog.dll
log4jDateBase
log4jxmlevent
Just to underline this via a simple github search -> https://github.com/NLog/NLog/search?q=log4jHello,
I have not received any reply from the gentleman but our internal checks confirms that there is no such vulnerability in the products. In particular, nothing happens when throwing java strings to our ports...
@tnib_brainy about NLog.dll, it's a standard .NET library used for logging, it does have 2 "Log4j" strings in it which are functions names meant to format some outputs in the same manner for interoperability purposes, but in no way this means the vulnerable Log4j library is statically or dynamically loaded in it. The two libraries are not related. You can also refer to their site or github for more info.
Link up your team and customers Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.