Update: Warning from the Federal Office for Information Security
Update 13 Dec 2021: As we already informed you in our e-mail over the weekend, there is currently a security warning from the German Federal Office for Information Security regarding the use of log4j.
The good news up front, the named vulnerability does not pose an immediate threat to our modules. Nevertheless, we recommend you:
Prohibit your systems from accessing resources on the internet!
For the technically savvy among you, we offer the detailed analysis here. We have thoroughly checked our software and can now report to you which of our products or modules are affected by the security vulnerability in log4j 2.x. You can check which products are affected in our e-mail dated 13 Dec 2021.
All software modules from the product families BusinessLine (AdSuite), ProductionLine (OpenMedia) and ContentLine that are not listed in our mail are not affected by this security vulnerability. These modules are largely based on the Java framework SpringBoot, which uses the library Logback (http://logback.qos.ch) for logging, which is not affected by the security vulnerability.
All modules that do not use this framework either integrate Logback directly or use log4j in version 1.x. The first version of log4j is not affected by the security vulnerability. The 1.x versions of log4j are also not affected by the security vulnerability, as long as no so-called JMS appender is used, which is not used in any of alfa Media’s software.
Our solution strategy
Fast protection is important. For all modules listed above, there are patched versions available immediately that solve the problem by either switching to logback or updating to version 2.16.0 of log4j.
Where possible, we will replace the affected library on your systems with version 2.16.0 as an ad hoc measure – in consultation with you. We will contact you about this shortly.
Message 11 Dec 2021
Surely you have already noticed the warning from the German Federal Office for Information Security (BSI) regarding Log4j.
Log4j is used by many manufacturers as a logging package in various popular software applications, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter and video games such as Minecraft.
The BSI currently sees an increase in the IT threat situation for business processes and applications. Due to the current widespread scanning, a possible subsequent infection of vulnerable systems and applications cannot be ruled out, also due to the current lack of patches.
You are probably wondering whether and if so, what effect this will have on the alfa applications used in your organisation. We are working at full speed to eliminate all possible threats for you. For our freely accessible B2C modules (e.g. WebStore, GlobalPurchase) we have been using Logback for years, which is the alternative to Log4j. Nevertheless, we are currently checking all alfa modules as well as our hosting installations to ensure that you will not encounter any problems.
In the unlikely event that problematic situations do arise, we will contact you directly and without any delay.