Log4J mitigations

[baknight1975]

Hi Cerb,

As our operations team examines our systems for potential log4j impact, we wanted to confirm if Cerb is impacted by this. If so, is there something we should do on our end to help mitigate any issues?

Thanks as always,
Barry

[jstanden]

Hi Barry!

Thanks for asking. It will be useful to have a public statement here.

Cerb itself is PHP/HTML/Javascript, so it's not affected directly by log4j.

There aren't any Cerb Cloud production servers under our control with Java/JVM installed in any region, nor any internal services running in Java. We migrated all of that to Python and Node.js many years ago.

We did have an isolated staging server with Apache Tika (Java + log4j) installed for an earlier demo (automated document text extraction from XLS/PDF). That was taken offline last Friday. The machine didn't have any privileged access and had an inbound firewall preventing anyone from using it.

Upstream, Amazon Web Services may use Java in some of their cloud-based services. We log to Cloudwatch using their Python-based agent.

Our cerb.ai project site search is powered by Elasticsearch (Java/log4j) and hosted by Bonsai.io. That machine is off our network and has no privileges. Its contents are public (indexed web pages). They issued a statement on the 10th about not being vulnerable but applying mitigations: https://twitter.com/bonsaisearch/status/1469371918121934858