Message from Element's CTO on Log4j
Element Unify not vulnerable to Log4Shell - CVE-2021-44228
Given the number of requests for information we’ve received over the past few days and the massive severity of the exploit on vulnerable systems we’re publishing this post to alleviate concerns over Element Unify’s vulnerability to this devastating attack vector.
TL;DR - Element Unify is not vulnerable to the recent Log4Shell exploit.
Element Unify is JVM based, but all of our services rely on a log stack comprised of slf4j (Simple Logging Facade for Java) which provides an api layer supporting multiple backends. Our logging backend for SLF4J is logback, which is not vulnerable to Log4Shell.
In addition, our HTTP serving layer is not a standard J2EE application server with all of the integrated bells and whistles. This means we don’t have a standard apache logging library integrated directly into the service layer.
In addition to in-house developed services, we also use a handful of 3rd party services. Only one of these services is JVM based, and we have verified that it is not vulnerable to exploitation via Log4Shell.
As I have written before, we take security seriously at Element. To learn more about that please read an earlier blog about how the element security program provides security by design.
To find out more about the major benefits of The Element Security Program, or to discuss any other questions you may have, please - contact Element today.