Log4j has been removed from ACME's codebase with the 11.16 release on 1/25/2022.
Posted Jan 26, 2022 - 07:47 PST
Monitoring
On Friday December 10th, ACME became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in numerous systems around the internet.
Log4j is not our primary logging tool. However, it is deployed in a small infrastructure area of the backoffice site, which is authenticated. The usage scenario is such that the logging is not behind an injection flow or exposed to our APIs. Therefore the vulnerability is not deemed exploitable.
Cloudflare, our cloud security layer vendor, deployed in front of our APIs, updated the default setting of the web application firewall (WAF), to protect against the vulnerability.
In order to prevent any further spread of using the log4j library, we are removing Log4j from our codebase in our next release.
Posted Dec 14, 2021 - 14:29 PST
This incident affected: ACME Platform (ACME Backoffice (B2B)).