On 10th December 2021, a critical vulnerability CVE-2021-44228 - referred to as Log4Shell - was disclosed. Many large software companies and online services are affected such as Amazon, Apple iCloud, Cisco, ElasticSearch, Tesla, Twitter and many more. This article summarizes the results of our investigation to date.
The vulnerability is caused by Apache Log4j which is a Java-based logging library used in many products and applications. The vulnerability allows an attacker to execute their own code on a remote server, a so-called Remote Code Execution (RCE) and potentially take full control of the system. Services and systems that use Apache log4j library between versions 2.0 and 2.14.1 are affected.
We scanned our infrastructure to identify vulnerable applications and services. Here is a list of our findings and actions taken:
None of Papirfly’s Internet-facing applications use Log4j directly.
We found one application that includes an older version of Log4j (pre 2.0) that is not affected by this vulnerability.
We found one application, Elasticsearch 7.12.0, that includes Log4j 2.11.1 that is affected by this vulnerability. This application is not available from the public Internet and is only sent sanitised input from the Papirfly service, so we do not believe an attacker can exploit the vulnerability against Elasticsearch. Nevertheless, out of an abundance of caution, we have taken the following actions:
We continue to monitor the situation and follow recommendations from the authorities and our vendors.
We do not believe that attackers have managed to exploit the vulnerability. We have taken steps as recommended by the authorities and our vendors to further secure Papirfly services.
We are continuing to investigate our exposure to this vulnerability and will provide further updates if any new risk to our users or our products is identified.
We are ready to handle any incidents.