Apple, Twitter, Amazon: Almost all web services are affected by the security vulnerability in the Java library Log4j. Even before the German Federal Office for Information Security (BSI) declared the highest warning level, all security measures had already been initiated at AEB. AEB specialists examined the systems and implemented patches or defense mechanisms where necessary.
Current status - Update of February 28, 2022
Since there are no significant new findings regarding new and critical Log4j vulnerabilities, we do not expect to make any further updates to this article. All other vulnerabilities with regards to Log4j will handled by AEB as part of the normal vulnerability process.
New findings on Log4j are constantly monitored and systems are protected/patched accordingly. AEB also responds immediately to the further critical vulnerabilities that have been discovered.
The following still applies: AEB systems are safe from these vulnerabilities based on current knowledge. This applies to AEB cloud applications as well as on-premise installations.
Our measures, as described here, address the following Log 4j1 version 1.x vulnerabilities in particular:
In Log4j2 version 2.x
Details for AEB cloud applications
Your systems are not affected:
- Either because they do not use an affected Log4j component
- Or, if they use a Log4j 2.x component, it has already been patched to the latest version (2.17)
- Or, if they use a Log4j 1.x component, the affected sub-component is not used by AEB
If any used 3rd party components were vulnerable to an external attack, they were either already patched to the latest version, necessary workarounds were implemented, or the systems were replaced.
In addition, the security measures implemented in several places protect your solution from exploitation of this and other vulnerabilities. This is confirmed by regular vulnerability scans and penetration tests.
Details for on-premise solutions
You do not need to adapt or patch on-premise solutions (as long as they are still being maintained).
In some cases, on-premise solutions from AEB use Log4j components in version 1.x. However, the affected sub-components are not used by AEB and the configuration is also restricted, e. g. it only allows predefined appenders.
Looking back – status of December 16, 2021
Based on further developments regarding the “Log4j vulnerability”, AEB has further analyzed its systems and solutions and adjusted them to the new findings where necessary.
The following still applies: AEB systems are safe from this vulnerability based on current knowledge. This applies to AEB cloud applications as well as on-premise installations. Systems have been updated to Log4j 2.16 where necessary.
Status of December 13, 2021
- Hardly any AEB applications are affected by Log4j – both on premise and in the cloud. There aren’t even a handful of exceptions. These customers have already been informed personally. We are working on a patch.
- The infrastructure in the AEB Cloud is largely unaffected. The patches for some few affected areas have already been deployed.
- In addition to the latest patches, a multi-level security concept and a rigid handling of outgoing connections protect our cloud services.
- We are monitoring intensive scans and attempted attacks on our cloud applications, So far, all of them have been averted. Otherwise, we would inform affected companies immediately.
We will update this page immediately as new information becomes available. (Status of December 22, 2021)