Free Edition No, Desktop Central is not vulnerable to CVE-2021-44228.
A severely critical RCE vulnerability was discovered in Apache Log4j library. In Log4j2, the Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters were found to be vulnerable. An attacker could gain control of LDAP and inject malicious payloads leading to a remote code execution.
Starting 14.12.2021, Desktop Central no longer uses Log4j. The Log4j version 1.2.15 that was in use before the removal, was also not vulnerable to CVE-2021-44228 as per Apache Log4j's official security notification page. Hence, Desktop Central remains completely unaffected by this vulnerability.
Yes. We have unbundled Log4j from our product and no longer use it. The fix is available in the build 10.1.2127.20.
No. During the former usage of v1.2.15, Desktop Central was not vulnerable to CVE-2019-17571 as the application was not using the vulnerable configuration that lead to this vulnerability.