Recently, a significant security vulnerability was announced related to a particular piece of software called Log4j. The vulnerability may also be referred to as Log4Shell or LogJam. It’s been assigned an identifier of CVE-2021-44228.
The quick news is, Carousel is not directly affected by this vulnerability. We have audited our code and dependencies and the affected component is not used in any Carousel software products. In fact, the vulnerable component runs on an entirely different technology platform (Java) than the platform we use to build and run Carousel.
That said, while the Carousel software itself is not vulnerable to this issue, it’s important to know that there are some subtle differences at play depending on whether you are a Carousel Cloud or a Carousel 7 (or earlier) customer.
We use technology partners including Amazon Web Services to deliver our Carousel Cloud service. We have confirmed with our partners that their services are either not impacted by this issue, or that they have already mitigated any potential impacts.
Carousel 7 and below:
Because Carousel versions 7 and below are installed into customer-owned hardware or virtual servers, there is a possibility that customers, their resellers, or other partners may have installed additional third-party software into these environments that may be vulnerable to this issue. Common examples could include firewall, backup, VPN, or other enterprise management tools. Again, in this situation the Carousel software itself is not vulnerable. However, we strongly encourage customers to do their own internal audit of any additional software that has been installed on their Carousel virtual or physical servers, and immediately patch or uninstall any software that may be vulnerable.
If you have additional questions, please connect with us at email@example.com