A small open-source tool called "log4j" has caused a bit of an uproar last weekend and was even mentioned on the main national TV news program "Tagesschau" (in German). The tool is used by some Java applications for the purpose of monitoring network connections and older versions of it were found to contain a serious vulnerability. There has been growing concern across many sectors within and beyond IT as last Saturday, the German Federal Office for Information Security (BSI) raised their security alert level to the maximum because of the issue. It appears that thousands of businesses are affected, and that user data and even administrator accounts are at risk.
mailbox.org is also currently receiving many enquiries from concerned users - but mailbox.org is not affected.
Our IT security service providers warned early in the morning
Even before log4j began to run its circles over the news tickers on Friday lunchtime, we were proactively alerted to the problem as early as 9:23 in the morning by our own contracted IT security service providers, Zero BS.
Our team then immediately began checking all potentially affected systems. All important systems "in the first row" (OX, Atlassian, Jitsi) were not vulnerable to log4j, because either log4j was not used or was configured by us from the beginning in a way that the vulnerability could not be exploited. We found a potential vulnerability on a rather unimportant system (ELK stack) in the second row, but this was very quickly mitigated by us on Friday at 1 pm through a configuration adjustment. Our team continued to monitor and analyse the situation over the weekend and found no further threats.
According to our assessment, customer data and the security of our systems were not seriously affected at any time.
Background
Last weekend, the Randoori Attack Team published a vulnerability in the Java tool log4j, now known as CVE-2021-44228. When log4j is used in a version between 2.0 and 2.14.1, attackers can obtain elevated access permissions by transmitting to an affected server a malicious URL that contains hidden commands. These commands will then be executed on the server side using administrative permissions. The vulnerability was fixed on Thursday, 9 December 2021 and is no longer present in log4j version 2.15. However, this is still a concern because not all affected servers will have been updated yet to use this latest version of the tool.
