We can confirm that the VNC Connect client software (VNC Server and VNC Viewer) do not use Java or the Log4j component and are therefore unaffected by the following CVEs:
No action is required to be taken by our customers.
Some RealVNC Cloud Services had sub-dependencies which include Log4j and although these were not exploitable, mitigations for CVE-2021-44228 have been implemented. The related CVE-2021-45046, CVE-2021-4104, CVE-2021-45105 and CVE-2021-44832 have been assessed and do not affect RealVNC services.
Since we expect the situation to continue to evolve, we will continue to monitor our environment and apply any additional recommended mitigations.
This article will be updated as necessary.
Article update history:
- 30-Dec-2021: Added CVE-2021-44832