A security vulnerability in widely used open source software alarms IT experts. Snom Technology GmbH, however, currently assumes no danger to its IP phones.
Since the weekend of 11/12 December 2021, the security vulnerability in Java logging log4j has been making headlines and the cause of a lot of uncertainty worldwide. So far, many are only aware that it is a potentially critical security breach. This much is known for certain: Log4j is a so-called logging library for recording events in Java server operations - for example for the later evaluation of errors. The problem primarily affects the operators of services and IT infrastructure. At present, end users are not explicitly the target of the vulnerability. Nevertheless, uncertainty is increasing and Snom has already received numerous enquiries regarding the security of its devices.
At this point we can sound the all-clear: Since no Java is used in Snom's endpoints, these devices remain unaffected.
"We assume that the Snom phones cannot be affected by the current security breach in log4j". Jan Boguslawski, Product Owner at Snom, says: "There is no use of Java in the web interfaces of the devices and therefore there is no need for log4j.
Since no classical web server (Apache, IIS, etc.) which could enable the integration of libraries is used anyway, an integration of Java or similar is not possible. There are therefore no vulnerabilities and consequently no need for action/patches.