A critical zero-day exploit in the popular Java-based logging framework Log4j was published last Friday afternoon. Since it is easy to exploit and its widespread use, Germany's BSI assigned its highest warning level to this vulnerability.
The exploit is tracked as CVE-2021-22448 and was given a CVSS score of 10.0. In case you don't know, that is the maximum score possible. No wonder the vulnerability made it even to major news outlets and had many IT security experts cancel their weekend plans.
We followed announcements from software vendors throughout the weekend and made an assessment of our own infrastructure. Since most of the software we use is either Go- or PHP-based, Log4j is not in use in Flownative Beach.
We also provide Elasticsearch servers to our customers, which are Java-based. However, none of those Elasticsearch instances was using a version which would allow exploitation of the remote command execution vulnerability. We re-configured instances running Elasticsearch 6 to also eliminate a possible information disclosure.
Therefore, at this time, no part of the Flownative infrastructure is affected by this zero-day exploit. In case new information should change our assessment, we will update this post and inform customers as necessary.