Summary: No Enthought software appears to be subject to the log4j vulnerability.
As widely reported in the press, a critical software vulnerability, known as Log4Shell, was discovered in the popular Apache Log4j 2 Java library which is used for logging messages in applications. The vulnerability enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2.
This article is to provide you with information regarding this vulnerability as it relates to (i) your Enthought software products (which may include Enthought Solution Suite, Enthought Deployment Server, Canopy Enterprise, and CanopyGeo) and (ii) open source libraries accessible through Enthought’s package distribution.
Enthought products do not use Log4j (or Java), and thus are unaffected by this vulnerability. Enthought products have a dependency on Keycloak, an open source Identity and Access Management library from RedHat. As reported by RedHat, Keycloak is Java-based but is not subject to the Log4j vulnerability.
Enthought has conducted a comprehensive review of the software libraries accessible in our package distribution to identify any potential issues related to this vulnerability. The vast majority of these libraries are known to be safe to use, including Python, C, and C++. All publicly accessible Python 3.6, 3,8 and 2.7 packages hosted on the Enthought Deployment Server have been scanned (using https://github.com/mergebase/log4j-detector). None were reported as vulnerable to the log4j CVE’s.
Please contact customer support at firstname.lastname@example.org should you have any questions.
Please do not enter support requests in article comments
Please use article comments for suggestions to improve the article. For individual support requests, please follow these guidelines.