A critical zero-day exploit in the popular Java-based logging framework Log4j was published last Friday afternoon (tracked as CVE-2021-22448, CVSS score: 10.0). Since it is easy to exploit and its widespread use, Germany's BSI assigned its highest warning level to this vulnerability.

We followed announcements from software vendors throughout the weekend and made an assessment of our own infrastructure. Since most of the software we use is either Go- or PHP-based, Log4j is not in use in Flownative Beach. 

We also provide Elasticsearch servers to our customers, which are Java-based. However, none of those Elasticsearch instances was using a version which would allow exploitation of the remote command execution vulnerability. We re-configured instances running Elasticsearch 6 to also eliminate and possible information disclosure.

Therefore, at this time, no part of the Flownative infrastructure is affected by this zero-day exploit. In case new information should change our assessment, we will update this post and inform customers as necessary.