We are aware of the vulnerability and have completed verification that this issue DOES NOT affect Mail & Deploy software or services.
A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.
For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Mail & Deploy), the following are some proactive measures organizations can take to reduce the risk posed by CVE-2021-44228:
- Upgrade to Apache og4j-2.1.50.rc2, as all prior 2.x versions are vulnerable
- For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries
- Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to “FALSE” to prevent Remote Code Execution attacks in Java 8u121
Should you have any further questions or queries, please contact us via firstname.lastname@example.org