We have found no information that would indicate Codefresh was impacted by CVE-2021-44228.
Posted Dec 17, 2021 - 15:54 UTC
Monitoring
There has been a zero-day discovery of open-source Apache “Log4j2” utility, the Java logging library, that could result in Remote Code Execution (RCE) if log4j logs an attacker-controlled string value without proper validation. More information on CVE-2021-44228 can be found on NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Codefresh products do not leverage or directly use a version of log4j known to be affected by the vulnerability, and thus we do not believe the Codefresh platform has been impacted. We have received responses from all our 3rd party vendors to confirm that they have not been impacted. Nevertheless, we are continuing the observe the situation and will investigate as our security team sees fit.
Posted Dec 14, 2021 - 21:14 UTC
This incident affected: Codefresh Systems (codefresh.io).