Apache Log4j Vulnerability - No impact to the Adyen platform


On Friday, December 10th 2021, a vulnerability in the Apache Log4j library was detected by the National Institute for Standards and Technologies (NIST), potentially affecting systems running Apache Log4j - allowing an attacker to execute code on a remote server.

You may have seen press reports on this already:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Apache: https://logging.apache.org/log4j/2.x/security.html

When we first discovered a report of the vulnerability, prior to the above publication by the NIST, we immediately began testing our platform. We concluded that our core platform was not vulnerable. The platform and supporting systems were upgraded hours later to account for this vulnerability.

We are not currently at risk of breach via the above vulnerability.

UPDATE:

During last week, starting Tuesday December 14th 2021, new vulnerabilities were found in the Apache Log4j library versions 2.15.0 and 2.16.0. The identified vulnerabilities could be potentially exploited to allow an attacker perform remote code execution, leak sensitive information or perform a denial of service attack in the affected systems. The advisories for the affected Log4j version can be found below:

- Version 2.15.0: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

- Version 2.16.0: https://nvd.nist.gov/vuln/detail/CVE-2021-45105

When the reports for both vulnerabilities were published, Adyen assessed the impact within the next hours and concluded that our platform is not vulnerable due to the very specific conditions that require to be met so that these vulnerabilities can be exploited.

In order to further reduce risks and unknown attack vectors, on December 15th 2021, the Adyen platform was upgraded to Apache Log4j version 2.16.0, and by December 21st 2021, the Adyen platform will be fully upgraded to Apache Log4j version 2.17.0.

We are not at risk of breach nor impacted by these two vulnerabilities.

You can also read about our response to this vulnerability in this blogpost.

Please contact Adyen Support (support@adyen.com) in case you have any questions.

Was this article helpful?
2 out of 2 found this helpful