TechSmith’s Security Team first became aware of the Log4j Remote Code Execution (RCE) vulnerability on December 10th, 2021, and immediately began an investigation.
TechSmith’s Created Software and Services
Log4j is a logging utility for Java-based software. Apart from our Android-based solutions, TechSmith does not leverage Java for software we create. We were not anticipating finding any use of Log4j, but we investigated our source code repositories and library manifests to verify TechSmith’s software and services do not make use of or distribute the Log4j library.
- TechSmith Snagit - Does not use Log4j
- TechSmith Camtasia - Does not use Log4j
- TechSmith Audiate - Does not use Log4j
- TechSmith Capture - Does not use Log4j
- TechSmith Knowmia - Does not use Log4j
- Screencast.com - Does not use Log4j
- Video Review - Does not use Log4j
- TechSmith Assets for Camtasia / Snagit - Does not use Log4j
- TechSmith Fuse - Does not use Log4j
- Coach's Eye and coachseye.com - Does not currently use Log4j; However, versions of Coach's Eye Android released prior to 2020 may contain Log4j.
Use of Log4net in TechSmith Snagit and TechSmith Camtasia
TechSmith Snagit for Windows prior to version 2022.0.2 and TechSmith Camtasia for Windows prior to 2021.0.16 were distributed with a version of Log4net vulnerable to CVE-2018-1275. This is not related to the Log4j RCE vulnerabilities.
This library was a dependency of older Google SDKs for Google Drive and YouTube outputs. Exploiting this vulnerability would require write access to the local file system which would allow a bad actor to engage in many other malicious actions on the target computer. There is no reason to believe this is remotely exploitable.
Users who are unable to upgrade to repaired versions can mitigate their risk by disabling the Google Drive and YouTube functionality within Snagit and Camtasia. Please open a support ticket if this is something you need assistance with.