Log4j status at Xensam
2021/12/12

TLDR; Customer data is safe and unaffected by log4j.

During the last few days, the whole IT industry seems to have been shaken to the core after the discovery of the Apache Log4j 0-day critical vulnerability. Alarmingly, this vulnerability scored a maximum NIST rating of 10 (CVE-2021-44228).

At Xensam, we immediately took action by investigating if and how this might impact us and our customers. We are delighted to report that since Xensam does not use any Java software as part of our self-developed applications, this vulnerability would have no effect on the security of our customer environments.

However, we are using Elasticsearch as part of our support ticketing system, which we immediately disabled pending further investigations. Subsequently, Elasticsearch provided a statement that pointed out which of their products could be affected by this vulnerability and how any risk could be mitigated. We are happy to report that the version of Elasticsearch products that we are using are not affected by this issue. However, we still applied the recommended JVM setting -Dlog4j2.formatMsgNoLookups=true.

We now feel comfortable to enable the Elasticsearch service once again.

Our file hosting solution also has Elasticsearch as part of that stack, but we have never enabled that service in the first place, hence it is not affected by this vulnerability. We still applied the same JVM setting to mitigate it regardless.

Naturally, as soon as the above Elasticsearch products are presented with an update with patch log4j, those versions will be rolled out on our side also.

Xensam x Wisdom North America by ITAM Review

Wisdom North America Presented by ITAM Review

SAM Product Digest Webinar: Automation and Collaboration

Learn how to spread SAM intelligence faster and further through your organization with Xensam’s software asset management platform

Software Asset Management Meets Sustainability: How SAM Can Support ESG Reporting

Corporate participation in sustainability agendas is an ethical imperative. With the implementation of CSRD regulations in 2024, c