Introduction - What is the Log4j vulnerability?
Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell a very severe vulnerability.
Has Convertr been impacted by the Log4j vulnerability?
Log4j is commonly used in Java applications, which is not heavily featured in Convertr’s tech stack.
We have identified 3 non-critical services, all of which have subsequently been patched to mitigate any vulnerabilities.
Along with the wider industry, Convertr is monitoring the situation as it evolves and will post any updates here accordingly.
What action has Convertr Taken?
Convertr is fully based on AWS, we’ve been closely following guidance from the AWS team on services which may impacted by the Log4j vulnerability.
All containers which are stored in AWS' ECR have been scanned for the Log4j vulnerability and have been found to be unaffected.
AWS OpenSearch Service |
Mitigated |
Convertr uses AWS’s OpenSearch Service to store application logs (Processr & Audit) which are then retrieved into the application via the ElasticSearch API. |
Low - There is no indication of any exploit of this vulnerability and data stored our OpenSearch instances removes any sensitive information before being stored. OpenSearch instances are not accessible via the public internet. |
14th December 2021 |
SonarQube |
Mitigated |
SonarQube is an open source, static code analysis tool used as part of Convertr’s QA and Development processes. SonarQube is not publicly accessible via the internet and does not have any access to any environment data. A patch to mitigate the Log4j vulnerability was committed on 12th December 2021 A further patch was applied on 17th December 2021 to address additional Log4j CVE-2021-45046. |
Low - Convertr’s SonarQube instance is not publicly accessible via the internet and does not have any access to any environment data. |
12th December 2021 |