Q&A on the Log4j vulnerability

News broke late last week that a vulnerability in the Log4j Java logging framework was being exploited by hackers. 

What is Log4j?

Log4j is a Java-based logging utility that is shipped by default in third-party software. It is widely used by enterprise systems and millions of web applications including Apple iCloud and Twitter.

How is the Log4j vulnerability being exploited?

The vulnerability enables the logging of a malicious code string. Once remotely executed, hackers can take control of systems. Free Wortley, CEO of the open source data security platform LunaSec told Wired,“It’s a design failure of catastrophic proportions.”

Does ID R&D use log4j?

No. While our Docker images include third-party Java components that ship by default with the log4j framework, we do not utilize the functionality and it cannot be exploited via our products.

We understand that a vulnerability like this is frightening. Even though we don’t use the log4j framework, we are making available dot releases for prior versions of our products and will remove the log4j library from future releases.

If you are a current ID R&D IDLive Face customer, you will receive an email today reiterating the point that the software cannot be exploited, as well as information on patches. Of course, don’t hesitate to contact us if you have any immediate questions.