Summary: On December 9th a vulnerability in the java logging package log4j 2.x was announced. This is widely used in enterprise software across the globe. Upon learning of the security issue Blacknight began investigating what versions of this software was being run across our platforms and customer infrastructure. Our findings are as follows:
- Plesk: latest versions are not vulnerable. If you’re running docker instances please check what versions of software you’re using inside them.
- cPanel: a minor package uses this, but a patch was available already. (Read more here)
- Blacknight Shared hosting: not vulnerable
- CDP Server (Backup software used for 90% of customer infra): not vulnerable
- Cloudblue / Ingram Micro (cp.blacknight.com): not vulnerable
- Blacknight internal applications: not vulnerable
- Open-Xchange Webmail: not vulnerable
We are still waiting to hear back from some vendors but anything that is publicly accessible right now looks to be safe. This situation is still evolving and any of the above could change with further information. So please check back often for more information.