On December 9th, Apache Systems publicly disclosed a high severity vulnerability (tracked as CVE-2021-44228, nicknamed “Log4Shell”) impacting multiple versions of the Apache Log4j 2 utility.
This vulnerability, which impacts Apache Log4j 2 versions 2.0 to 2.14.1, permits unauthenticated remote code execution (RCE). The Apache Log4j 2 utility, which is an open source Java logging library developed by the Apache Foundation, is widely used across many of the world’s most popular internet services, including tech giants like Amazon, Apple, Twitter, Cloudflare, Steam, and Minecraft.
When we learned about Log4Shell, Paybook implemented our zero-day process across all systems and products to detect any exposure to this vulnerability and take any necessary mitigation measures. Our team discovered that, while Paybook does have some Apache systems using Java, none of our product lines are impacted by Log4Shell because our code base does not contain any of the impacted log4j libraries. Controls on our internal systems also prevent outbound internet access, giving Paybook another layer of protection. Our team concluded that none of our services are affected by Log4Shell. We will continue to monitor the situation for updates and promptly notify our customers and partners of any changes to this conclusion
We highly recommend any companies using Java-based software to immediately determine if they are using any of the affected log4j libraries. For affected companies, we recommend the following:
- Check for these Log4Shell hashes in your software inventory.
- JAR files belonging to the log4j library with the pattern “log4j-core-*.jar” can indicate that an application is potentially susceptible to CVE-2021-44228.
- Monitor impacted applications closely for anomalous behavior.
- Apache’s log4j security vulnerabilities page recommends that organizations upgrade to Log4j 2.15.0 at your earliest opportunity. For those who cannot upgrade to 2.15.0, Apache offers alternate mitigation options as well.