15 Dec Otrum software not affected by the “log4j” exploit

Statement from Otrum CTO, Andreas Tønnesen, on the current Java exploit situation.

On Friday December 10, 2021 news of a zero day vulnerability(CVE-2021-44228) in a common component of java-based software, named log4j, became widely known.
This exploit is about as bad as it gets. It requires just one single HTTP request being sent from anywhere in the world to a affected service, the result is full system compromise.

As Otrums server side applications are mainly java-based, this threat immediately triggered a review of all the Otrum products. Both cloud based services and on-prem applications were analyzed.

No use of the vulnerable versions of log4j were found in any project.

The next step was an in depth analysis of all running components and infrastructure in Otrums wide variety of services. Out of about 50 running services, one single third-party service was found to contain the affected software. This was an internal service that was not publicly available and the component was immediately patched.

The situation is evolving, and we are monitoring any news regarding additional affected technologies closely. Although we are confident in our engineering teams report, should our assessment change, our partners and customers will be updated immediately.

Best regards
Andreas Tønnesen
CTO | Otrum AS