We've been receiving inquiries about our exposure to the recent log4j vulnerability (CVE-2021-44228).
Our core CA software (Boulder) does not use, and has not used, log4j. Boulder is written in Golang.
We've reviewed all other software in our infrastructure that uses log4j. We've determined that:
- None of this software is or was present in network segments containing devices with CA cryptographic secrets.
- None of this software appears to expose an attack surface for this vulnerability (logging strings containing user-controlled input).
- In the event of vulnerability, our other security measures would greatly impede an attacker's payload retrieval or data exfiltration.
Concurrently with this review, we applied mitigations to all this software that will prevent exploitation, as an additional defense-in-depth measure. These mitigations were completed before we observed any attempts at exploitation, which appear to have been naive mass scans. We are also actively communicating with the vendors of this software and will be updating to permanently fixed versions immediately upon their release.
We hope this information is helpful.