On Thursday, December 9, 2021, Combinostics was made aware of an Apache Log4j vulnerability with the logging utility (CVE-2021-44228). Following this, our use of this utility and its impact on our products and infrastructure were immediately investigated.
Later, on December 14, 2021, another vulnerability was discovered related to the patch of the original issue (CVE-2021-45046). In line with our procedures, this was also investigated to ensure the findings from our initial investigation were still relevant.
Log4j vulnerability review
Both investigations confirmed that Combinostics’ services are not impacted by this vulnerability:
- Our cNeuro services are built using C# and .NET and do not use any ported versions of Log4j.
- Our home page (www.combinostics.com) runs on WordPress with no use of Java, and it is not affected.
- The vast majority of our internal infrastructure doesn’t run Java or use Log4j and thus is not affected.
- The few pieces of software development infrastructure and 3rd-party services using Java were thoroughly investigated and found as not being affected by these vulnerabilities. We have since reviewed the communications from these 3rd parties to confirm our original assessment.
We are confident that Combinostics is not affected by the recent vulnerabilities found in Apache Log4j. We will however continue to track updates relating to this vulnerability and will provide further updates if any potential risk to our customers or products is identified.
If you have any questions, please reach out via support@combinostics.com.