Log4j status at Xensam

TLDR; Customer data is safe and unaffected by log4j.

During the last few days, the whole IT industry seems to have been shaken to the core after the discovery of the Apache Log4j 0-day critical vulnerability. Alarmingly, this vulnerability scored a maximum NIST rating of 10 (CVE-2021-44228).

At Xensam, we immediately took action by investigating if and how this might impact us and our customers. We are delighted to report that since Xensam does not use any Java software as part of our self-developed applications, this vulnerability would have no effect on the security of our customer environments.

However, we are using Elasticsearch as part of our support ticketing system, which we immediately disabled pending further investigations. Subsequently, Elasticsearch provided a statement that pointed out which of their products could be affected by this vulnerability and how any risk could be mitigated. We are happy to report that the version of Elasticsearch products that we are using are not affected by this issue. However, we still applied the recommended JVM setting -Dlog4j2.formatMsgNoLookups=true.

We now feel comfortable to enable the Elasticsearch service once again.

Our file hosting solution also has Elasticsearch as part of that stack, but we have never enabled that service in the first place, hence it is not affected by this vulnerability. We still applied the same JVM setting to mitigate it regardless.

Naturally, as soon as the above Elasticsearch products are presented with an update with patch log4j, those versions will be rolled out on our side also.