National Institute of Standards and Technology (NIST) logged in a new vulnerability regarding Chainsaw, which also affects Log4J on Jan 18, 2022. Log4J is a common library from Apache Foundation used in products published by many companies, including the Xeams.
Chainsaw is a GUI-based application that can be used to view log files. Although Xeams does not use this application internally, a third-party library used in Xeams includes this application. Therefore, a user with malicious intent and access to the machine running Xeams could run this application.
Note: The following steps are not necessary if you downloaded Xeams after August 01, 2022.
Although Xeams is not directly affected, out of an abundance of caution, follow the steps below if you would like to patch this library on your end.
log4j.jarfrom here. This modified version does not contain classes for
JMSAppender. Since these classes are not used, you will not get any runtime errors in Xeams.
Follow steps below to confirm you're not using the affected version.
unzip -l lib/log4j.jar | grep -i chainsaw
org\apache\log4j\chainsaw. If you see this folder, download the JAR file from here and replace it with the file in C:\Xeams\lib.