A red and white lighthouse stands in front of the coast of an azure sea.

Measures Taken of a Critical Vulnerability in the Java Library Log4j

With this blog post we would like to inform you about measures we have taken regarding a critical security vulnerability in the Java library Log4j. We have already taken all recommended measures and secured our systems over the weekend in the night of December 11,2021 directly after the vulnerability was published by the German Federal Office for Information Security (BSI). In addition, we adapted our monitoring measures and intrusion detection systems specifically to this security gap in order to detect and prevent potential attacks. In addition, all systems have been examined by security experts to determine their vulnerability. There is no risk for our systems at all.

Update 11/17/2021

Proactive measures and new luckycloud version.

What consequences the security vulnerability Log4j will entail, experts can still difficult to estimate. Still the situation is unclear. But: luckycloud customers are nevertheless on the safe side. After comprehensively securing our systems, we have taken further preventive measures to be armed against security vulnerabilities that may occur in the future. Our team is currently working on a new version that does not contain any of the components classified as critical. As soon as this version has been sufficiently tested and released, we will make it available and inform our customers.

---

With this blog post we would like to inform you about taken measures of a critical security vulnerability in the Java library Log4j.

We have already taken all recommended measures over the weekend in the night of December 11,2021 directly after the vulnerability was published by the German Federal Office for Information Security (BSI) and secured our systems. In addition, we adapted our monitoring measures and intrusion detection systems specifically to this security vulnerability in order to detect and prevent potential attacks. In addition, all systems have been examined by security experts to determine their vulnerability. There is no risk to our systems whatsoever.

As soon as updates for additional components are available, they will be applied after a check.

Only one system with which luckycloud works was indirectly affected by the security vulnerability. We were able to close this successfully as soon as it became known. Since the corresponding system itself is not connected to the Internet, an attack would have been very unlikely according to expert assessment, and we have no evidence of it.

We rely on the zero-knowledge principle for data storage out of conviction. This ensures that our customers' data is also exclusively encrypted for us. Even in the event of an attack, they would not be readable, as only our customers can decrypt them.

We continue to be in close exchange with partner systems as well as security experts and take our task of protecting our customer data very seriously.

---

What is the Java library Log4j and what critical vulnerability was discovered?

A Java library is a software module that is used to implement a specific functionality in a software.

The BSI classifies the critical vulnerability (Log4Shell) in the widely used Java library Log4j as a critical threat level. The BSI has therefore issued a level red cybersecurity warning. The reason for this assessment is the very wide distribution of the affected software modul and the associated impact on numerous other software products.

The vulnerability is also already exploitable and a proof-of-concept is publicly available. If the vulnerability is successfully exploited, the affected system can be taken over. According to the BSI, worldwide mass scans and compromise attempts are known. The first successful compromises are also already being publicly reported.

The full extent of the threat situation for many companies cannot be conclusively assessed at this time, according to the BSI. However, there is a security update for the affected Java library Log4j, but all systems that use Log4j must be adapted. The BSI recommends that companies and organizations implement the defensive measures mentioned in the cybersecurity warning in particular.

A BSI cybersecurity warning with information and measures to deal with the vulnerability can be found here:
https://bsi.bund.de/dok/997080

The latest information is continuously made available on the BSI websites:
https://bsi.bund.de/dok/log4j

More information:
https://bsi.bund.de/dok/997278

You might also be interested in