Karl Martin Sonley Dec 16, 2021 2:31:50 AM 2 min read

Critical Vulnerability in Apache Log4j

Data-security in Moment is high

At Moment, we work daily to ensure good data security for our customers and their data.

On Friday, December 10, the National Security Authority issued a warning regarding a critical vulnerability in Apache Log4j.

Apache Log4j is a Javatool that is widely used in applications globally, including in our system.
 
Read more here (article in Norwegian)

We took immediate action to secure our system against this vulnerability. Less than 24 hours later, Moment was updated to use a secure version of Log4j (v2.15.0) in all locations where this tool is used.

At the same time, weaknesses were found in tools used by us internally for operation and maintenance. The following tools were updated as soon as secure versions were made available:
  • Elastic Search
  • Graylog
  • Amazon Open Search
  • Datadog

Wednesday this week we performed a new upgrade (v2.16.0) which covers a second security hole that was found in Log4j the day before.  Read more.
 
Monday December 20 another upgrade was performed  (v.2.17.0) to cover an DOS weakness which was found in Apache Log4j code (version 2.16.0). Read more here. 

Data security is highly prioritized in Moment, and we have our own dedicated resources that investigate this on an ongoing basis.

If you have questions about our Data security, you are welcome to contact Karl Martin Sonley at karl@moment.team