Log4j Vulnerability (CVE-2021-44228)

Log4j vulnerability – what you need to know from RapidSpike.

Are you aware of the vulnerability of the Log4j tool? Further detail can be found here.

We have been investigating the impact of this vulnerability on our systems since it was first disclosed late last week.

None of our proprietary software is written in Java and therefore doesn’t use the Log4j software, so is not directly affected by this issue. Some of our infrastructures run on AWS services that were affected (CloudFront and S3) but did not pose a threat to our internal systems and have since been upgraded by AWS.

We have identified an open-source software that we use that is written in Java and has a dependency on Log4j. The software is used in a stack that runs a small, very specific portion of our testing and sits externally from our main infrastructure – the threat is contained and minimal. Additionally, we have the logging through the software switched off in production. Having said this, on Tuesday 14th December we applied the config-based mitigation suggested by Log4j to the servers.

We are continuing to investigate any other potential uses of Log4j across our systems and will act accordingly if anything is found.

If you would like to speak to one of the team – we would be happy to help. Please email support@rapidspike.com