Log4j2/Log4shell and Biometrica
[Update: 2021-12-15 16:54PM ET]
Summary
- No action necessary by clients to mitigate or patch the log4j2/log4shell vulnerability
- Biometrica Systems provided services and software are not currently vulnerable
- No exploitation of the vulnerability identified
[Original Post Below]
You may have heard about a severe vulnerability (CVE-2021-44228/CVE-2021-45046) in a little known logging tool named Log4j which is provided by the Apache Software Foundation free of charge. This utility is widely used in all sorts of Java-based software – including both desktop and server applications – to generate log messages for diagnostic and other record keeping purposes.
The flaw allowed specially crafted messages sent to an application to provide unauthorized users with full control of the machine. The flaw was rated 10/10 for its ease of use and the severity of the risks.
Biometrica’s Response
Upon learning of the vulnerability, we immediately began investigating our desktop and server applications to determine if we were vulnerable to the flaw. In summary, no Biometrica Systems, Inc. provided application or service is vulnerable to the log4j2/log4shell vulnerability. Below is a detailed list of the publicly available services provided by Biometrica Systems, Inc.
| Application/Service | Version | Status | Details |
| Visual Casino | All | N/A | not written in Java |
| SSIN | All | not vuln | does not use log4j* |
| CID | All | N/A | not written in Java |
| UMbRA | All | not vuln | does not use log4j* |
| eMotive | All | not vuln | does not use log4j* |
Once our internal codebase was evaluated, we began assessing our 3rd party service providers to determine their exposure to the vulnerability.
It was determined that some underlying infrastructure and services purchased from third parties were vulnerable. We have monitored communications from these providers, and, at this time, all services provided to Biometrica Systems from 3rd party providers have either confirmed they are not vulnerable or have patched or mitigated the log4j2/log4shell vulnerability. Additionally, we have seen no activity that would indicate there was a potential compromise using this or any other exploit.
We will update this post if new information becomes available regarding any of our services.
Additional Information
If you have any further questions, please reach out to us at support@biometrica.com.
To see the status of any of our services at any time, please check: https://status.biometrica.com/.
For general technical support, please visit: https://support.biometrica.com/.