Log4j vulnerability
On 2021-12-09 a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed that could allow remote, unauthenticated attackers to run code on vulnerable systems. The vulnerability is listed as CVE-2021-44228 [1] and is also known as “Log4Shell”. On 12/14/2021, another denial of service vulnerability (CVE-2021-45046 [2]) was released which caused the initial fixes in version 2.15.0 to be incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are intended to fix both security vulnerabilities.
Localyzer’s security experts immediately analyzed all products and services to determine if our solutions were affected.
Summary : Localyzer’s online marketing platform is not affected and no exploit has been detected.
Our SaaS solution is based on PHP, Python and Javascript. In a few cases we use the Java-based Talend Open Studio. This software uses Log4j – but in a non-vulnerable version/configuration of Log4j. We use Redis, MariaDB and PostgreSQL/PostGis databases. None of them are affected by the exploit in the versions/configurations used.
If you have any questions or concerns about this topic, please contact datenschutz@localyzer.io. Security and reliability continue to be top priorities for Localyzer.
[1] The Log4j vulnerability (CVE-2021-44228) allows unauthenticated remote code execution (RCE) in Java applications running a vulnerable version of Apache Log4j 2. This vulnerability poses a serious risk to those using this version as, if properly exploited, it could allow unauthorized access or full control over systems.
[2] The limited vulnerability in Log4j (CVE-2021-45046) in some cases invalidates previous vulnerability fixes. These vulnerabilities are fixed in Log4j 2.16.0.