On December 10, the National Cyber and Information Security Agency issued a critical warning about vulnerability CVE-2021-44228, also known as Log4Shell. On the same day, our team of developers began analyzing the vulnerability.
The result of the analysis is that the DPGW system does not demonstrate Log4Shell vulnerability.
DPGW uses Logback and SLF4J as the logging backend. Log4j itself is not used by DPGW or any of its dependencies (for libraries that use log4j, log4j-over-slf4j is used and it does not contain vulnerability).
We ensure the security of the system by making following steps:
- we regularly monitor new vulnerabilities of all libraries and dependencies which our system uses on the CVE list
- we follow the recommendations of the National Cyber and Information Security Agency
- we perform risk analysis with respect to OWASP Top Ten
- penetration tests on our system are regularly performed by Crashtest Security
