The media have reported in a dramatical manner, the German Federal Office for Information Security (BSI) has issued a level 4 warning: There are security vulnerabilities in the Java library log4j.
The all-clear in advance:
Regardless of this, the Riege security team immediately analysed the impact of the security vulnerability and initiated the necessary measures. We use the library in two internal backend systems, but already patched them on Saturday. Due to our network and security design, and as these internal systems do not process input from the internet, we believe a compromise at this point is unlikely.
The wide-ranging emergency patches we applied in the night from Friday to Saturday served to close a gap in a Linux cryptography library (nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) - CVE-2021-43527). This is also critical, but receives less attention – and is now closed.
We have done everything we could do. In addition, we would like to urge you to check your own systems for up-to-dateness and security. Useful hints on how to do this can be found here: reuters.com
We continue to monitor the situation and expect timely updates from our suppliers, which we will install immediately. Impairments of Scope operations due to these updates are unlikely, but cannot be ruled out at this point in time. Of course, we will inform you about any measures and possible effects as soon as possible.
We are always at your service. For sure!
Your Riege Security Team