This article is our current position statement on CVE report CVE-2021-44228 regarding log4j2 (aka log4j):
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
We have not discovered any versions of our products that are vulnerable to this exploit.
- The shipping version of the EVO OS (v.6.1.5.x) is cleared.
- SNS Cloud VPN is unaffected.
We are continuing our investigations and will update this article once confirmed/complete.
We've concluded that CVE-2021-44228 as described is not a concern for SNS products, since we do not include LOG4J or provide the control options required to exploit it.