A vulnerability in Log4j Log4j is a small internal module that handles logging for Java programs. was announced on the 10th of December 2021. Reports worldwide show that the vulnerability is used actively and successfully in attacks.
Log4j is a Java-based logging utility widely used in popular software systems.
Key Takeaways
- This has no consequences for Safesprings systems.
- Safespring customers should stop their services that might be affected.
What we’ve done so far
Fortunately, this has no consequences for our systems, and no services are down.
However, we must point out that we do not have, and should not have, any knowledge of which applications our customers run and how they are affected by this.
Recommendations to our customers
- Stop any services that might be affected
- Go through all logs looking for attempts and possible successful attempts using this exploit
- Immediately rotate secrets that a compromise might have leaked
- Upgrade to the safe version of Log4j or apply mitigations for the Log4j exploit
If you think you are not vulnerable, please check to be on the safe side one more time.
Please note that Log4j is embedded in many other logging tools and services using those logging tools. There is a growing list of affected (and non-affected).
Affected technologies Read CVE announcement
Suppose we at Safespring have indications that services or instances in our infrastructure are affected by the Log4j vulnerability and actively used in attacks. In that case, we will alert the customer, and if that customer doesn’t take action, we will have to shut down those instances as soon as possible to prevent further damage.
We don’t actively monitor for this, but others might notify us. It is the responsibility of the service owner to investigate the situation further in such cases.
