On Friday December 10th, ACME became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in numerous systems around the internet.
Log4j is not our primary logging tool. However, it is deployed in a small infrastructure area of the backoffice site, which is authenticated. The usage scenario is such that the logging is not behind an injection flow or exposed to our APIs. Therefore the vulnerability is not deemed exploitable.
Cloudflare, our cloud security layer vendor, deployed in front of our APIs, updated the default setting of the web application firewall (WAF), to protect against the vulnerability.
In order to prevent any further spread of using the log4j library, we are removing Log4j from our codebase in our next release - ACME 11.16 1/25/2022