We officially announce that VisualSVN products are NOT AFFECTED by the recently disclosed CVE-2021-44228 vulnerability, also known as Log4Shell. Please find the details below.
CVE-2021-44228 is a critical remote code execution vulnerability in the Apache Log4j Java library. Information about the vulnerability has been publicly disclosed on December 9, 2021. At the time of writing, the vulnerability is known to be actively exploited in the wild.
VisualSVN Server is not affected
VisualSVN Server is NOT AFFECTED by the CVE-2021-44228 (Log4Shell) vulnerability.
VisualSVN Server and its components are not based on Java, and they do not depend on the vulnerable Apache Log4j library.
Although VisualSVN Server itself is not affected, it is recommended to check if your Subversion repositories have custom or third-party hooks that use Java and the vulnerable Apache Log4j library. If so, the risks are still limited because triggering a hook script requires access permissions to the corresponding repository. However, in this case it is strongly recommended to follow the official guidelines on mitigating the vulnerability.
VisualSVN for Visual Studio is not affected
VisualSVN for Visual Studio is NOT AFFECTED by the CVE-2021-44228 (Log4Shell) vulnerability.
VisualSVN for Visual Studio and its components are not based on Java, and they do not depend on the vulnerable Apache Log4j library.