This security advisory provides customers with an update on how PactFlow services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.
What is this vulnerability?
A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.
How does this vulnerability affect PactFlow?
PactFlow immediately began investigating its environment to identify any affected systems. After an investigation was completed, it was determined that:
- The Log4j library is not implemented in any of PactFlow's application services or SDKs;
- The Log4j library is not used by any of our open source clients (e.g. Pact JVM).
What actions should I take?
Users of Pact or PactFlow do not need to take any action at this time.
Where can I find more information?
Additional information on this vulnerability can be found here:
- Apache Software Foundation: Apache Log4j Security Vulnerabilities
- National Vulnerability Database: CVE-2021-44228