December 13th, 2021

Attention Fraud.net Users:

Fraud.net is aware of a high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 631 utility which was disclosed publicly via the project’s GitHub 1.1k on December 9, 2021. This security advisory summarizes any potential impacts to Fraud.net products and related steps towards mitigation to address the issue, if any.

Day Zero Vulnerability: Apache Log4j 2 versions 2.0 to 2.14.1.

Fraud.net impact: Only one software impacted i.e. Elasticsearch. No other impacts exist across the Fraud.net asset pool.

Impact assessment: No exploitable impact for Fraud.net products and services found as per security advisory made by impacted vendor, Elasticsearch. The product versions in use at Fraud.net are not at risk from this exploit due to the inherent mitigation method, Java Security Manager, in use by impacted software.

Fraud.net security and operations teams continue to actively monitor threats and vulnerabilities across all its products and services and customers will be notified of any impacts as it is learnt and becomes necessary for further escalations and notifications.

Should there be any further questions, please reach out to security@fraud.net, or our customer help line at +1-866-971-2030. 

Source: Official response from impacted vendor: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476