On December 9, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2, a Java logging library used by a number of popular applications available for distribution. The CVE describes how logging attacker-controlled
data can under common circumstances lead to Remote Code Execution, giving the attacker access to the running environment, as well as other attack vectors.
December 10, 2021 the Log4j Security Vulnerability known as CVE-2021-44228 was brought to the attention of our TechOps and SecOps engineers. After a thorough review of the existing Reach Engine code base, we have determined there is no direct linkage to this version of the log4j library. Reach Engine uses an older version of the library, commonly referred to log4j (note the missing 2), that is not at
all vulnerable to the same attack vector. Any ancillary references to the log4j2 library in our application used are by upstream products that are not susceptible to the same attack vector as there is no code logic that allows it.
We at REACH ENGINE take security very seriously and continually monitor the health of our code libraries and rapidly respond to any information of risk for our customer or their business.
For now all REACH ENGINE code packages are without impact however we will continue to be vigilant and follow the issue appropriately.