Lean Library is aware of the recently disclosed security issue relating to the open-source Apache Log4j2 utility (CVE-2021-44228). We do not directly use Log4j at Lean Library, but we have patched our Elasticsearch instances and infrastructure with the latest security patches to be safe.
In light of the latest Day 0 vulnerability reported on Apache Log4j (CVE-2021-44228) on 9th December 2021, we thought we would highlight how it affects, or rather does not affect, Lean Library services directly.
Our systems themselves do not include Log4j but we utilise a third-party Elasticsearch service which might. Our provider has published an article stating that Elasticsearch instances do not use Log4j but that other connected services might, and so advised an upgrade to the latest version as soon as possible.
Today, we took the step to bring forward a minor upgrade on some Elasticsearch instances. This Elasticsearch instance sits outside of other protected cloud services and stores no personal data. If the Elasticsearch cluster was compromised due to Log4j, no loss or exposure of private data would occur for Lean Library admins or users.
If you have any concerns, please reach out to us via opening a ticket and we will be more than happy to discuss the issue with you in further detail.