Fortunately, CODA Products, Services, and Operations have not been impacted by the recently published Log4J vulnerabilities. As per our CODA Footprint Security, Privacy and Architecture Reference Securing and Protecting the Data within the Footprint Ecosystem, we are constantly monitoring our own systems using our own platforms, as well as third-party tools.
CODA is not relying on JAVA for any of its services. However, given the amplitude of the supply chain effects, we have seen vulnerable versions of log4j within our environment.
All client & server-side components were upgraded immediately.
The only server-side component affected was Amazon OpenSearch Service, which released their patch R20211203-P2 on the 14th of December. Nevertheless, our Elasticsearch cluster is not exposed directly to the outside world and is not able to initiate outbound connections to the outside world.
Our WAFs are always-on and configured in blocking mode for all Internet-exposed workloads.
Our WAF vendor has provided rapid blocking capabilities for this vulnerability, since the 12th of December.
We have not identified any signs of RCE on any of our assets, although our WAFs are detecting exploitation attempts, mostly generated by bots.