Updated Dec 30, 2021:

GenRocket engineering team has been continuing to research and test the latest Log4j version (2.17.1) in the lower environments. At the same time we are continuing to monitor any changes to the latest versions to ensure that we update to the latest and safest version of the libraries. At this time we do not have a specific date to communicate as we are in process of testing. 


Updated: Dec 23, 2021:

Apache Log4j is widely used by many companies for logging purposes. Once the vulnerability was disclosed, we began researching the optimal solution. We do want to emphasize that GenRocket uses Log4j version, 1.2.17, which is not directly impacted by the recent vulnerability announcement. Nonetheless we are working towards upgrading/updating to the latest, safest and most effective version of the Log4j libraries (since current version 1.2.17 also have been shown to have some vulnerabilities).  

 

This is an evolving situation (updated vulnerability announcements with versions 2.15, 2.16 etc.) and our engineering team is continuing to investigate and prepare to take action as necessary. 

 

We also want to reassure you that we have no indication of any compromise to the GenRocket platform resulting from the current version of Log4j.

 

We will continue to remain vigilant and share updates with our customers as developments arise. Once we have conducted sufficient research and know our plan of action, the specific timeline for the remediation will be communicated here. 


Update: Dec 20, 2021:

GenRocket engineering team is working on testing the updated libraries in the lower environments. Once we have more precise timing of deploying the updates in production, we will publish the target date.


Original:

There was recent news announcing a vulnerability affecting Apache Log4j software libraries versions 2.0-beta 9 to 2.14.1 (CVE-2021044228).  


We want to assure our clients that the GenRocket platform is not impacted by the vulnerability because we use library version 1.2.17.  


We can further assure you we have not found any evidence of compromise of our platform. 


Furthermore, as recommended by the Cybersecurity and Infrastructure Security Agency (CISA) and the broader cybersecurity community, we will be upgrading our Log4j software libraries to version 2.16 as soon as possible.