Year in Review: Avontus Soars to Greater Heights in 2021
Note from the Editor: As 2021 draws to a close, we’d like to first give a shoutout to all of… Read More
Summary: A critical vulnerability was found in a widely used open-source Java logging library that opens any application containing said library up to all kinds of threats. Avontus software is unaffected by this vulnerability.
Log4j is responsible for generating logs of text over time containing all activities of a specific server in a given period of time.
These logs provide you with a detailed insight into how, when, and by whom your website or application was accessed, which helps you troubleshoot any problems.
While this is the intended purpose of Log4j 2, this new vulnerability allows for unauthenticated remote code execution (RCE). Effectively, any application utilizing Log4j 2 is susceptible to exploitation via remote connection. If a specially formatted piece of text is saved to a log that is handled by Log4j, an arbitrary command can be executed in that server.
How bad is it? Theoretically, an attacker could wrest complete control of any server running a vulnerable version of Log4j. The amount of damage done could be catastrophic. Depending on the purpose of the server, the attacker can do anything from spreading viruses to other users, stealing customer credit card details, or even demanding ransom for sensitive data.
Once again, we’d like to reassure you that we are NOT affected by this vulnerability!
All publicly available Avontus products and the servers that they rely on or communicate with do not run on Java and do not use the Log4j logging library. While we do employ a minimal number of open-source components, we would like to reiterate that NONE of them are Java-based. The Avontus products below are therefore NOT vulnerable:
Additionally, we have also confirmed with our partners that our web presence (main website and documentation home page) does not rely on web servers that use Log4j 2. The same goes for the software that we use internally (accounting, DevOps, support systems, sales and customer relationship management (CRM) tools, etc.).
Here at Avontus, we take the security of our customers seriously and we are proud of our world-class IT infrastructure. We are confident that we would have handled the situation well had we been exposed to this vulnerability. That is because we have prepared redundant on-site and off-site backups precisely to avoid sticky situations like these.
We are also in the process of becoming SOC2 compliant, which involves an auditing process that you can monitor to ensure that Avontus stays on top of the best IT and software development processes.
You can click here to find out more about the situation in detail!