A zero-day vulnerability impacting version 2.0 <= 2.14.1 of the Apache Log4j 2 package was disclosed to the public on December 9. (Please refer to the CVE for more details.)
Apache released a new Log4j version to fix the vulnerability. Versions of this library earlier than 2.15.0 are vulnerable to a remote code execution attack. For more details on the vulnerability, please refer to the CVE.
We investigated our Cloud SaaS platform and confirmed the usage of affected log4j libraries both in our own code and in dependent-services. We can affirm that the vulnerability was not exploitable based on different mitigation already present in the environment.
In less then 6 hours after we became aware of this vulnerability, we incorporated the fixed library into our own code (scheduled to be released) and we have applied live the mitigations from Mitre.org
We have also adjusted the detection rules for our WAF and we are constantly monitoring for patterns of abuse.
By Saturday morning we had released fixes for our On-Premise version of OneDesk and started reaching out to our On-Premise customers providing tailored steps to mitigate in their own environments.