Apache Log4j vulnerability update

  • by Scott Hertel
  • · posted on December 16, 2021
  • · 1 min read
Apache Log4j vulnerability update

CVE-2021-44228 and CVE-2021-45046

Dec. 13, 2021

As soon as reports of the vulnerabilities in the open-source Apache Log4j logging utility were announced on December 10th, 2021, Osano’s engineering team launched an investigation into our use of Log4j across our services, systems and applications. While we found several instances where we were using this dependency for logging, every case involved entirely backend services where no public interface is exposed. Despite this, Osano is working to update instances where we use Log4j or remove this dependency entirely from these internal services.

References:

CVE -CVE-2021-44228

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Dec. 14, 2021

Osano has updated the following services to Log4j 2.15:

  • PDF Conversion Service (internal).
  • Data Discovery Integration Processor (internal).

Dec. 15, 2021

Try Osano Free!

The Log4j team has discovered additional vulnerabilities in their recent 2.15 release. While these new vulnerabilities are not seen as a risk to Osano operations, the Osano engineering team has updated the following services to Log4j 2.16:

  • PDF Conversion Service (internal).
  • Data Discovery Integration Processor (internal).


References:

CVE -CVE-2021-45046

About The Author · Scott Hertel

Scott Hertel is the CTO & co-founder of Osano. An experienced software architect, Scott has been building scalable data-driven software for more than 20 years. Prior to Osano, Scott was the founding CTO of Meta SaaS, a leading enterprise software asset management platform for cloud applications which was sold to Flexera Software in 2018.