On December 09, a vulnerability of Apache Log4j (a logging tool used in many Java based applications) was disclosed, which could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE2021-44228, and is also known as “Log4Shell”.
When the announcement was made public late last week, we - like everyone else - were quite alarmed. Our web server logs first started showing signs of automated scans for the vulnerability on Dec 10, just one day after the disclosure of CVE2021-44228. Over the last few days we have conducted a thorough review of our entire codebase and all tools used for our work, and we can report that to the best of our knowledge the vulnerability does not affect us, or any of the products we ship.
- The GAMS Java API, both expert-level and OO-level, does not use Log4j
- Our internal Jenkins server does use Java, but is unaffected (see this statement ).
- The Apache Solr Search Engine we use on our website has been configured to not use the JndiLookup.class from the Log4j package.
- Our Engine SaaS service is not affected