Vulnerability Summary

On December 9, 2021 a vulnerability (CVE-2021-44228) impacting versions 2.0-beta9 to 2.14.1 of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub.

Kasm Services

Kasm Workspaces is not vulnerable to the Log4j vulnerability as Java is not utilized by any server components within Kasm Workspaces or other Kasm products and/or services.

Desktop/App Images

Administrators of Kasm Workspaces have the ability to create custom images, which may include the Java runtime and the vulnerable log4j2 vulnerability. Kasm Technologies recommends building custom images on automated CI pipelines. Kasm Workspaces, when configured properly, will automatically update images built on a schedule. Utilizing a DevSecOps process for continually updating custom Workspace images ensures the images are always up to date with the latest security patches.

For desktop and app images provided by Kasm Technologies, Kasm releases two versions of each image: versioned release and rolling release. The versioned release of each image never changes after release. Rolling tagged images are updated nightly and published on Docker Hub. Installations using Kasm provided images are recommended to use the rolling tagged images, Kasm Workspaces will then check for updates hourly and automatically pull updates.