March Networks products are not impacted by the recently discovered Log4j 1.x vulnerabilities (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307).
While March Networks Command Enterprise uses Apache Log4j 1.x, it does so without enabling any of the components and functions mentioned in these new CVEs. An attacker would already need privileged access to the server hosting Command Enterprise, and change it to exploit them, like for the previously discovered CVE-2021-44228.
As communicated previously, March Networks’ products also do not use the Apache Log4j2 library, which is impacted by other vulnerabilities.
Please refer to our Security Updates and Advisories page for full details.