We have completed revisions to our products and services, including dependencies. In general, the exploit can be abused on older JVM versions than 8u192 or 11.01. This is not the case in our environment (since all JVM versions are newer). Nevertheless, we have updated all possible components under our direct control and updated services with exploitable versions of Log4J.
Therefore, we assume that we are not affected by the Log4Shell exploit.
Posted Dec 16, 2021 - 14:54 CET
Monitoring
A fix has been implemented and we are monitoring the results.
Posted Dec 16, 2021 - 14:29 CET
Investigating
On Friday, December 10th, a critical remote code execution vulnerability (CVE-2021-44228), also known as Log4Shell, was discovered, which affects Apache Log4j versions 2.0-2.14.1. Log4j is a popular logging library in Java and is used in several enterprise applications.
As our core infrastructure is written in JAVA, our systems may be affected by this security vulnerability.
Up to now we have checked most of the systems involved in our product portfolio. Where affected versions of Log4J are in use, the libraries were upgraded or other measures were implemented (e.g. additional VM parameters).
We always try to provide our software and services as secure as possible. Of course, we will be happy to keep you updated on what our reviews reveal.
Posted Dec 12, 2021 - 12:40 CET
This incident affected: Customer Web Application, Applicant Web Application, API, Job Advertisement Service, Tracking Service, and SMTP Service.