Dec. 13, 2021
As soon as reports of the vulnerabilities in the open-source Apache Log4j logging utility were announced on December 10th, 2021, Osano’s engineering team launched an investigation into our use of Log4j across our services, systems and applications. While we found several instances where we were using this dependency for logging, every case involved entirely backend services where no public interface is exposed. Despite this, Osano is working to update instances where we use Log4j or remove this dependency entirely from these internal services.
References:
Dec. 14, 2021
Osano has updated the following services to Log4j 2.15:
Dec. 15, 2021
The Log4j team has discovered additional vulnerabilities in their recent 2.15 release. While these new vulnerabilities are not seen as a risk to Osano operations, the Osano engineering team has updated the following services to Log4j 2.16:
References: