Status on Apache Log4j Vulnerability Follow

Alice Jaeb
  • Updated

Introduction - What is the Log4j vulnerability?

Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell a very severe vulnerability.

Has Convertr been impacted by the Log4j vulnerability?

Log4j is commonly used in Java applications, which is not heavily featured in Convertr’s tech stack.
We have identified 3 non-critical services, all of which have subsequently been patched to mitigate any vulnerabilities.

Along with the wider industry, Convertr is monitoring the situation as it evolves and will post any updates here accordingly.

What action has Convertr Taken?

Convertr is fully based on AWS, we’ve been closely following guidance from the AWS team on services which may impacted by the Log4j vulnerability.

All containers which are stored in AWS' ECR have been scanned for the Log4j vulnerability and have been found to be unaffected.

Service

 

Status

 

Description

 

Impact

 

Date Mitigated

 

AWS OpenSearch Service

Mitigated

Convertr uses AWS’s OpenSearch Service to store application logs (Processr & Audit) which are then retrieved into the application via the ElasticSearch API.

The patch was implemented across Convertr’s OpenSearch services on the 14th December.

Low - There is no indication of any exploit of this vulnerability and data stored our OpenSearch instances removes any sensitive information before being stored.

OpenSearch instances are not accessible via the public internet.

14th December 2021

SonarQube

Mitigated

SonarQube is an open source, static code analysis tool used as part of Convertr’s QA and Development processes.

SonarQube is not publicly accessible via the internet and does not have any access to any environment data.

A patch to mitigate the Log4j vulnerability was committed on 12th December 2021

A further patch was applied on 17th December 2021 to address additional Log4j CVE-2021-45046.

Low - Convertr’s SonarQube instance is not publicly accessible via the internet and does not have any access to any environment data.

12th December 2021

Articles in this section

Related articles