Synthetix NOT AFFECTED by the Log4j exploit
A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on GitHub on 9 December 2021 and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By utilizing this vulnerability, a remote attacker could take control of the affected system.
Synthetix is aware of this vulnerability, has completed verification, and can conclude that the only product where we use Java is the SumoLogic collector, which does not utilize the affected versions of Log4j and is also only installed of very old versions of our application, thereby is not impacted by this vulnerability.
Even though the version of SumoLogic connector we have isn't affected, we have taken preventative steps and completely removed the service from the deprecated servers that had it installed.