It was an eventful week for the Java Ecosystem and the Open Source communities: on December 9, 2021, a critical vulnerability was found in the widely-used Java Logging framework Log4j (version 2).
The team at payments Fintech Adyen has shared details on some of the actions they took to address this serious issue. The team has shared mitigating factors and best coding practices from their Security team.
Reported to the Apache Foundation by the Alibaba Cloud Security team, the Log4j vulnerability has “initiated a global race to understand exposure, apply a fix as soon as possible, and evaluate impact across the wide number of systems and software applications that somehow rely (or include) the library,” the team at Adyen wrote in a blog post.
The vulnerability, “being so severe and ubiquitous, has been given its own name (Log4Shell), something that happened in the past for other notorious security threats (https://shellsharks.com/designer-vulnerabilities).”
As explained by Adyen, malicious attackers are able to exploit a Log4j security flaw “triggering Remote Code Execution (RCE), extracting sensitive data or causing a denial of service, typically providing certain input strings that are eventually logged by the application using Log4j.”
Adyen further noted that Java is a pillar of their core platform and several services are “running on top of it – therefore we have taken the incident very seriously.”
People, processes and tools are their best assets and they have “again delivered,” according to Beppe Catanese, Developer Advocate, Adyen.
As noted in the update:
“Soon after the news started circulating, our teams were already exchanging messages, performing an initial assessment and discussing the first steps and actions. Although we have formal channels for managing security alerts, the AdyenWay is about direct, fast and effective interactions between teams (support, security, development, product). As such, detection and communication happened rapidly and efficiently.”
They Adyen team further revealed that they have “a centralized way of understanding services, versions and dependencies.”
They did not limit it by “looking at which Java application is affected, or which framework can be compromised, but we assessed the overall status of the platform and performed a full review to figure out every potential exploitable behavior and further detection techniques to be implemented.”
While Log4j and other Open Source frameworks depending on it “were found in various parts of the Adyen Core platform, no breach or exploitation was recorded thanks to the mitigating factors already in place,” the firm claims.
According to Adyen, the mitigations “were effective” and included a “mix of best practices and modern security measures.”
The Adyen team added that while the mitigating factors and existing measures “confirmed no exploitation would be possible we patched all our platform and supporting services diligently.”
The company further noted that they will “keep a close look and monitor for further developments as new vulnerabilities or attack vectors could be identified.”
Adyen added:
“Our merchants and partners are important to us and they are always our first priority: we informed relevant stakeholders about the situation and the activities undertaken to secure the platform and every integration.”
For more technical details on this update, check here.