Information on the new Apache Log4j RCE vulnerability
Since an advisory and exploit code have been recently released for a remote-code-execution vulnerability in Log4j, an open-source logging library, we would like to inform you about the relevance for your ELEMENTS system.
A successful attack can only take place if malicious user-generated data is being logged, unsanitized, through Log4j. Some of the ELEMENTS‘ software dependencies, Solr and Elasticsearch, do use Log4j, but with our logging configuration, no user-generated data is being logged by these apps at any time, meaning that the exploit does not apply to any of our products.
However, we will still include a patched version of Log4j as soon as possible in the next update.
There is no action to be taken at this time. We will continue to closely monitor the situation and inform you as soon as the patched version of Log4j is available. If you have any further questions, please feel free to reach out to us anytime! You can contact our support team by email firstname.lastname@example.org or by phone +49 211 749 535-0.