Skip to main content

Log4j: mailbox.org is secure

Warndreieck

A small open-source tool called "log4j" has caused a bit of an uproar last weekend and was even mentioned on the main national TV news program "Tagesschau" (in German). The tool is used by some Java applications for the purpose of monitoring network connections and older versions of it were found to contain a serious vulnerability. There has been growing concern across many sectors within and beyond IT as last Saturday, the German Federal Office for Information Security (BSI) raised their security alert level to the maximum because of the issue. It appears that thousands of businesses are affected, and that user data and even administrator accounts are at risk.

mailbox.org is also currently receiving many enquiries from concerned users - but mailbox.org is not affected.

Our IT security service providers warned early in the morning

Even before log4j began to run its circles over the news tickers on Friday lunchtime, we were proactively alerted to the problem as early as 9:23 in the morning by our own contracted IT security service providers, Zero BS.

Our team then immediately began checking all potentially affected systems. All important systems "in the first row" (OX, Atlassian, Jitsi) were not vulnerable to log4j, because either log4j was not used or was configured by us from the beginning in a way that the vulnerability could not be exploited. We found a potential vulnerability on a rather unimportant system (ELK stack) in the second row, but this was very quickly mitigated by us on Friday at 1 pm through a configuration adjustment. Our team continued to monitor and analyse the situation over the weekend and found no further threats.

According to our assessment, customer data and the security of our systems were not seriously affected at any time.

Background

Last weekend, the Randoori Attack Team published a vulnerability in the Java tool log4j, now known as CVE-2021-44228. When log4j is used in a version between 2.0 and 2.14.1, attackers can obtain elevated access permissions by transmitting to an affected server a malicious URL that contains hidden commands. These commands will then be executed on the server side using administrative permissions. The vulnerability was fixed on Thursday, 9 December 2021 and is no longer present in log4j version 2.15. However, this is still a concern because not all affected servers will have been updated yet to use this latest version of the tool.

More news

mailbox Logo

mailbox becomes the digitally sovereign workplace: Technology and brand reimagined

Read more about mailbox becomes the digitally sovereign workplace: Technology and brand reimagined
Trophy in recognition of excellent performance

Recognition for our security standards: BSI awards mailbox.org gold status!

Read more about Recognition for our security standards: BSI awards mailbox.org gold status!
People in a meeting are happy together about a success

New mailbox Suite: Modern design and smart features now available as beta

Read more about New mailbox Suite: Modern design and smart features now available as beta