Security Update: Logging library Apache Log4j vulnerability
Critical vulnerability called Log4Shell in Apache Log4j, a logging library commonly used on the Java base system, was reported on December 10th, 2021.
About CVE-2021-44228 (NIST)
By transmitting crafted data that exploits this vulnerability, a remote third party may be able to execute arbitrary code.
What we’re doing to address this issue
We promptly began securing our services and websites as soon as we became aware of the problem.
As of Dec 13th 9:24 (UTC), we’ve finished updating Apache Log4j on all of our servers, using the workarounds advised by NIST and other security vendors for CVE-2021-44228.
When the update is ready, we will notify customers who use the enterprise versions of Backlog and Cacoo via email.
Based on the known extent of the vulnerability, we have confirmed that it cannot be utilized to attack any of our services.
We’ll keep collecting data on CVE-2021-44228 and take appropriate action as warranted. We’ll report future updates, if any, of our response status on this blog.
Update Dec. 17
We’re ready to update the enterprise version of Backlog and Cacoo. So we’ve notified users via email.
Due to insufficient countermeasures against CVE-2021-44228 in Apache Log4j, a new vulnerability, CVE-2021-45046, was discovered and the information was published. As of Dec 16th 7:00 (UTC), we’ve finished updating Apache Log4j on all of our servers, using the workarounds advised by NIST and other security vendors for CVE-2021-45046.
Update Dec. 21
Due to insufficient countermeasures against CVE-2021-45046 in Apache Log4j, a new vulnerability, CVE-2021-45105, was discovered and the information was published. As of Dec 20th 6:47 (UTC), we’ve finished updating Apache Log4j on all of our servers, using the workarounds advised by NIST and other security vendors for CVE-2021-45105.
The additional update for CVE-2021-45046 and CVE-2021-45105 is ready, we will notify customers who use the enterprise versions of Backlog and Cacoo via email.