Log4J Vulnerability

TechSmith’s Security Team first became aware of the Log4j Remote Code Execution (RCE) vulnerability on December 10th, 2021, and immediately began an investigation. 

TechSmith’s Created Software and Services

Log4j is a logging utility for Java-based software. Apart from our Android-based solutions, TechSmith does not leverage Java for software we create. We were not anticipating finding any use of Log4j, but we investigated our source code repositories and library manifests to verify TechSmith’s software and services do not make use of or distribute the Log4j library.

  • TechSmith Snagit - Does not use Log4j
  • TechSmith Camtasia - Does not use Log4j
  • TechSmith Audiate - Does not use Log4j
  • TechSmith Capture - Does not use Log4j
  • TechSmith Knowmia - Does not use Log4j
  • Screencast.com - Does not use Log4j
  • Video Review - Does not use Log4j
  • TechSmith Assets for Camtasia / Snagit - Does not use Log4j
  • TechSmith Fuse - Does not use Log4j
  • Coach's Eye and coachseye.com - Does not currently use Log4j; However, versions of Coach's Eye Android released prior to 2020 may contain Log4j.

Use of Log4net in TechSmith Snagit and TechSmith Camtasia

TechSmith Snagit for Windows and TechSmith Camtasia for Windows are distributed with a version of Log4net vulnerable to CVE-2018-1275, and not the same vulnerabilities as log4j. TechSmith first started tracking this as a security issue in July 2021.

Exploiting this vulnerability would require write access to the host OSes file system enabling a variety of much worse malicious actions on the target computer; there is no evidence that it is remotely exploitable. For these reasons, it was classified as a low priority fix.

Since the vulnerable version of log4net is due to TechSmith’s use of older Google SDKs for Google Drive and YouTube outputs, users can reduce their risk by disabling this functionality within Snagit and Camtasia. If that is something you need help with please open a support ticket.