Statement on Log4J Vulnerability – No Action Required
Regarding the log4j vulnerability recently disclosed, we want to assure our customers that Callisto (on prem and as a service) is not affected. We do not use any Java based technologies in our tech stack for Callisto.
For Callisto as a service, here are the current responses from our technology partners.
Microsoft’s Security Response Center (https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)
The log4j libraries are not provided to any Azure App Service and because we do not use Java in any capacity, our hosted servers are not at risk from this issue. Our database server is also managed under Azure and no log4j binary is provided by that product either.
MongoDB Inc: (https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb):
None of MongoDB Inc’s core on prem database products are affected by the log4j vulnerability. Atlas search was affected but we do not use any hosted solutions from MongoDB Inc and our implementation of MongoDB is hosted by us. All vm instances used for MongoDB are fully patched with the latest available software as of this morning and no third party software using log4j is on these servers. Our use of MongoDB is read only, no customer data is stored by this product.