As of 12/19/2021, all Openprise production components for all environments have been remediated to mitigate any log4j vulnerabilities related to JNDI as found in CVE-2021-44228 (and its related CVEs).
A remote code exploit (RCE) vulnerability has been found in the widely used Log4j: https://www.lunasec.io/docs/blog/log4j-zero-day/. The Openprise security team has investigated the impact of the vulnerability CVE-2021-44228 and have started implementing its mitigation on 12/10/2021. The impact, while high, has a low likelihood as most field entries in Openprise are sanitized for special characters. However, if encountered, the impact is as described in the CVE where an attacker can execute arbitrary code on our servers.
The mitigation strategy that Openprise is applying is as suggested by Apache, which will either disable Jndi lookup or remove the JndiLookup class from the class path. As of 12/11/2021, all Internet facing servers and components have all been restarted with mitigation flags applied. Openprise is continuing to restart internal components with the mitigation flags as fast as possible while ensuring our customers' running processes are unaffected wherever possible. Remediation of all production components with mitigation flags have been completed as of 12/19/2021. We will continue to monitor news and announcements related to this vulnerability and if additional actions are required, we will perform additional measures to address them and update this announcement.