Java vulnerability Log4j: AEB secures its systems (Update)
IT security

Java vulnerability Log4j: AEB secures its systems (Update)

Red alert from Federal Office for Information Security: The Log4j vulnerability is keeping web services and users on edge. AEB has already implemented security measures.

Author: Martin Setzler
Martin Setzler
23.12.2021

Apple, Twitter, Amazon: Almost all web services are affected by the security vulnerability in the Java library Log4j. Even before the German Federal Office for Information Security declared the highest warning level, all security measures had already been initiated at AEB. AEB specialists examined the systems and have already implemented patches or defense mechanisms where necessary.

Current status – Update of February 28, 2022

Since there are no significant new findings regarding new and critical Log4j vulnerabilities, we do not expect to make any further updates to this article. All other vulnerabilities with regards to Log4j will handled by AEB as part of the normal vulnerability process.

New findings on Log4j are constantly monitored and systems are protected/patched accordingly. AEB also responds immediately to the further critical vulnerabilities that have been discovered.

The following still applies: AEB systems are safe from these vulnerabilities based on current knowledge. This applies to AEB cloud applications as well as on-premise installations. Our measures, as described here, address the following vulnerabilities in particular: 

Our measures, as described here, address the following Log 4j1 version 1.x vulnerabilities in particular:

  • CVE-2019-17571
  • CVE-2021-4104
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307

In Log4j2 version 2.x

  • CVE-2021-44228
  • CVE-2021-45046
  • CVE-2021-45105

Details for AEB cloud applications

Your systems are not affected:

  • Either because they do not use an affected Log4j component
  • Or, if youthey use a Log4j 2.x component, it has already been patched to the latest version (2.17)
  • Or, if youthey use a Log4j 1.x component, the affected sub-component is not used by AEB

If any used 3rd party components were vulnerable to an external attack, they were either already patched to the latest version, necessary workarounds were implemented, or the systems were replaced. In addition, the security measures implemented in several places protect your solution from exploitation of this and other vulnerabilities. This is confirmed by regular vulnerability scans and penetration tests.

Details for on-premise solutions

You do not need to adapt or patch on-premise solutions (as long as they are still being maintained).

In some cases, on-premise solutions from AEB use Log4j components in version 1.x. However, the affected sub-components are not used by AEB and the configuration is also restricted, e. g. it only allows predefined appenders.

Former status (Dec 16, 2021)

Based on further developments regarding the “Log4j vulnerability”, AEB has further analyzed its systems and solutions and adjusted them to the new findings where necessary.
The following still applies: AEB systems are safe from this vulnerability based on current knowledge. This applies to AEB cloud applications as well as on-premise installations.

Details for AEB cloud applications

  • Your systems are either not affected because they do not use an affected Log4j component. Or they have already been patched to the latest version (status 2.16.0).
  • If any used 3rd party components were vulnerable to an external attack, they were either patched to the latest version, necessary workarounds were implemented, or the systems were replaced.
  • In addition, the security measures implemented in several places protect your solution from exploitation of this and other vulnerabilities. This is confirmed by regular vulnerability scans and penetration tests.

Details for on-premise solutions

  • You do not need to adapt or patch on-premise solutions (as long as they are still being maintained).
  • In some cases, on-premise solutions from AEB use a Log4j component in version 1.2.x. However, the affected sub-component is not used by AEB, and the configuration also only allows predefined appenders. This also addresses the “old” CVE-2021-4104.

Former status (Dec 13, 2021, 10 a.m.)

  • Hardly any AEB applications are affected by Log4j – both on premise and in the cloud.
  • There aren’t even a handful of exceptions. These customers have already been informed personally. We are working on a patch.
  • The infrastructure in the AEB Cloud is largely unaffected. The patches for some few affected areas have already been deployed.
  • In addition to the latest patches, a multi-level security concept and a rigid handling of outgoing connections protect our cloud services.
  • We are monitoring intensive scans and attempted attacks on our cloud applications. So far, all of them have been averted.. Otherwise, we would inform affected companies immediately.

We will update this page immediately as new information becomes available. (last updated: Feb 7, 2022)

Similar content