CVE-2021-44228

To follow best practices, all Log4j dependencies have been updated to use version 2.17.1 to address the vulnerabilities reported as CVE-2021-44832 and CVE-2021-45046.
We have continuously monitored our systems throughout the incident and we do not believe that our systems were compromised due to these vulnerabilities.

We are aware of an additional security advisory indicating that the fix to address CVE-2021-44228 in Log4j 2.15.0 does not remediate the vulnerability appropriately in certain configurations. This has been catalogued under CVE-2021-45046.

Although we do not currently believe that our systems are at risk due to this latest vulnerability, we will keep a close eye on the situation in case new vulnerabilities or bypasses are discovered and we will be updating all versions of Log4j to 2.16.0 in the coming weeks.

Our team has completed a thorough review of our codebases, dependencies, and suppliers. The relevant systems have now been patched and we do not have any further reason to believe that the Yieldify Conversion Platform may be impacted by this vulnerability.

We will continue to monitor the situation closely.

Any potential use of log4j within our systems is being investigated. We are also monitoring the situation with our suppliers.

Throughout this incident, we have been continuously monitoring our egress traffic via our SIEM (Lacework) and no abnormal egress traffic has been detected.

Yieldify is actively following the security vulnerability found in the open-source Apache Log4j utility (CVE-2021-44228).

The Apache Log4j utility is a commonly used library for logging requests in Java based projects and codebases. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.