+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Alliance Key Manager – No Log4Shell (Log4J) vulnerability

Posted by Patrick Townsend on Dec 18, 2021 4:37:43 PM

December 17, 2021

The Log4Shell (Log4j) vulnerability represents a potentially severe security threat to all companies who deploy internal or third-party applications that use the Java Log4j logging facility. The relevant security notice is CVE-2021-44228. Our customers and partners have inquired if Alliance Key Manager is subject to this new vulnerability.

Link to the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

SQL Server Standard Edition & TDEAfter technical review and external application scanning (Nessus) we can report that Alliance Key Manager is not subject to this vulnerability. This applies to all platforms where Alliance Key Manager can be deployed including VMware, Microsoft Azure, Amazon AWS, and the Townsend Security HSM. The primary key management interface to Alliance Key Manager is a secure TLS interface that is implemented on the server side via ANSI C application code for both traditional and KMIP operations. All inputs are validated before processing. No use is made of Java for logging functions. The user, administrative, encryption and mirroring functions of key management interfaces are logged using native ANSI C functions. Some server management functions use logging via the Python language. 

Currently supported versions of Alliance Key Manager are 4.6 and newer including 5.x. If you are running an earlier version of Alliance Key Manager you are not subject to the Log4Shell vulnerability, but you should contact Townsend Security support to upgrade as soon as possible.

If customers and partners have any questions about this vulnerability then can contact Townsend Security through normal problem ticketing options. Others may send email to info@townsendsecurity.com.

Townsend SecurityEncryption Key Management for VMware Cloud Providers

Topics: MSP, CyberSecurity, Log4Shell, Log4j

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Recent Posts

Posts by Topic

see all