Apollo is using log4js somewhere in it’s system. I am wondering if this is at risk of the current log4j vulernability that was recently discovered?
Though log4js is not vulnerable in that it is only similar in the task and name, it would be good to know from Apollo if they have any systems that are vulnerable
Hi there! On the day the vulnerability was released, we looked through both our open source packages and our cloud services and infrastructure. We found one system internally that could have had the vulnerability and patched it day of release. That system does not execute any client code directly at any time, and after doing investigation we found no evidence of any exploitation or compromise on that day or any day prior.
Those using the federation-jvm repository could enable log4j on their own, but from that end we use slf4j as a facade to log4j, and is not technically bundled with the package. The example code from that repo also uses logback-classic instead of log4j.
I’ll follow this thread if there’s any questions from anyone else!
Thanks,
Chas Peacock, Director, Engineering
Just to follow up, we are doing the same patching mechanic with the new vulnerability around the incomplete patch today on that same system.