Who does this affect?
This article applies to users running Portfolio 3.6.3 and 4.0.
Issue
On December 10, 2021 researchers reported CVE-2021-44228, detailing an exploit in the Log4j library that allowed a malicious user to run code on an affected system. Portfolio uses an affected version of Log4j.
On March 10th, 2023 an issue with Log4j 1.x was denoted on systems running JRE earlier than ver. 1.7 in CVE-2023-26464
Is there a solution?
CVE-2021-44228
Yes. Portfolio versions 3.6.3 and 4.0 need to update to the latest version of Portfolio 4.0.1 can be found on our Installers page here:
https://www.extensis.com/support/portfolio-4/
CVE-2023-26464
Portfolio 3.6.3 and 4.x do not use a JRE lower than 1.7
If you have questions or require more assistance, please submit a support request.