On the 10th of december 2021 information on a vulnerability was made public on the Internet. The vulnerable component was log4j2, and is a common component in many places where Java is used. The vulnerability was named “log4shell” and formally called CVE-2021-44228 in the CVE directory.

The log4j2 flaw has a base CVSS score of 10 and enables remote code execution against application. The log4j component is used in many software tools and in places which makes the attack surface very large. These issues combined gives a problem that is of grave concern to many security responsible around the globe.

Since no components in the deaddrop solution is built using Java, there are no uses of Java components such as Log4j2.

Since deaddrop does not have the vulnerable component, no part of deaddrop is affected. Deaddrop is NOT vulnerable to the log4shell/CVE-2021-44228 vulnerability.

More information about CVE-2021-44228 is published at NIST.