The media have reported in a dramatical manner, the German Federal Office for Information Security (BSI) has issued a level 4 warning: There are security vulnerabilities in the Java library log4j.
The all-clear in advance:
Scope does not use the affected library log4j. An update is not necessary.
Regardless of this, the Riege security team immediately analysed the impact of the security vulnerability and initiated the necessary measures. We use the library in two internal backend systems, but already patched them on Saturday. Due to our network and security design, and as these internal systems do not process input from the internet, we believe a compromise at this point is unlikely.
The Riege security team works quickly and intervenes when necessary.
The wide-ranging emergency patches we applied in the night from Friday to Saturday served to close a gap in a Linux cryptography library (nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) - CVE-2021-43527). This is also critical, but receives less attention – and is now closed.
Check for the security of your own systems, too!
We have done everything we could do. In addition, we would like to urge you to check your own systems for up-to-dateness and security. Useful hints on how to do this can be found here: reuters.com
We will be watching closely and keep you informed.
We continue to monitor the situation and expect timely updates from our suppliers, which we will install immediately. Impairments of Scope operations due to these updates are unlikely, but cannot be ruled out at this point in time. Of course, we will inform you about any measures and possible effects as soon as possible.
We are always at your service. For sure!
Your Riege Security Team