A critical vulnerability in Apache Log4j, a logging library commonly used on the Java base system, was reported on December 10th, 2021.
About CVE-2021-44228 (NIST)
By transmitting crafted data that exploits this vulnerability, a remote third party may be able to execute arbitrary code.
What we’re doing to address this issue
We promptly began securing our services and websites as soon as we became aware of the problem.
As of Dec 13th 9:24 (UTC), we’ve finished updating Apache Log4j on all of our servers, using the workarounds advised by NIST and other security vendors.
When the update is ready, we will notify customers who use the enterprise versions of Backlog and Cacoo via email. Customers using the cloud/online versions of Nulab products can rest assured that updates are rolled out as well.
Based on the known extent of the vulnerability, we have confirmed that it cannot be utilized to attack any of our services.
We’ll keep collecting data on CVE-2021-44228 and take appropriate action as warranted.
Update Dec. 17:
We’re ready to update the enterprise version of Backlog and Cacoo. So we’ve notified users via email.
Due to insufficient countermeasures against CVE-2021-44228 in Apache Log4j, a new vulnerability, CVE-2021-45046, was discovered and the information was published.
As of Dec 16th 7:00 (UTC), we’ve finished updating Apache Log4j on all of our servers, using the workarounds advised by NIST and other security vendors for CVE-2021-45046.