Updated 12/20/2021


SafeConsole OnPrem and Cloud solutions were upgraded for the initial 0-day exploit (CVE-2021-44228). Since this patch Apache has released 2.16 and 2.17 updates to the log4j library. 


These vulnerabilities require a non-default configuration of the lo4j library involving thread context lookup patterns. This is not configured in SafeConsole 5.9.3.92. DataLocker's development and security teams have been following the log4j developments closely and will continue to evaluate any new vulnerabilities that are announced. Unless a new vulnerability is found that requires an immediate patch, the log4j library will be updated to the current release during the next standard SafeConsole development update scheduled for Q1 2022.


Secondary mitigations have been applied to SafeConsole Cloud including updating the rules in our web application firewall. It is recommended that our OnPrem customers work with their teams to put in place their own secondary controls in their environment. Such controls could include limiting outbound network connections from the SafeConsole server. Other mitigations such as manually removing the jndiLookup class from the classpath can be done if required. 





SafeConsole OnPrem - Update required to 5.9.3.92. This patches the log4j2 library to 2.15


SafeConsole Cloud - No action required by customers

  • Web Application Firewall rules were in place on 12/10/2021 as a temporary mitigation
  • All Cloud instances have been updated automatically to 5.9.3.92 as of Monday 12/13/2021 10:30 am CST


EMS OnPrem - Does not contain vulnerable packages identified by CVE-2021-44228 


EMS Cloud - Does not contain vulnerable packages identified by CVE-2021-44228


Devices with 4.8.x and 6.x clients -  Does not contain vulnerable packages identified by CVE-2021-44228

  • This includes all devices made by DataLocker (DL4, K350, H300, H350, Sentry One, etc)


PortBlocker - Does not contain vulnerable packages identified by CVE-2021-44228


SafeCrypt - Does not contain vulnerable packages identified by CVE-2021-44228



If you have any questions, please contact support@datalocker.com.