December 17, 2021
The Log4Shell (Log4j) vulnerability represents a potentially severe security threat to all companies who deploy internal or third-party applications that use the Java Log4j logging facility. The relevant security notice is CVE-2021-44228. Our customers and partners have inquired if Alliance Key Manager is subject to this new vulnerability.
Link to the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
After technical review and external application scanning (Nessus) we can report that Alliance Key Manager is not subject to this vulnerability. This applies to all platforms where Alliance Key Manager can be deployed including VMware, Microsoft Azure, Amazon AWS, and the Townsend Security HSM. The primary key management interface to Alliance Key Manager is a secure TLS interface that is implemented on the server side via ANSI C application code for both traditional and KMIP operations. All inputs are validated before processing. No use is made of Java for logging functions. The user, administrative, encryption and mirroring functions of key management interfaces are logged using native ANSI C functions. Some server management functions use logging via the Python language.
Currently supported versions of Alliance Key Manager are 4.6 and newer including 5.x. If you are running an earlier version of Alliance Key Manager you are not subject to the Log4Shell vulnerability, but you should contact Townsend Security support to upgrade as soon as possible.
If customers and partners have any questions about this vulnerability then can contact Townsend Security through normal problem ticketing options. Others may send email to info@townsendsecurity.com.