In review, this is not a good bug. In fact, it appears to be rated the highest in severity. More details about the Log4j2 bug >>
As far as aMiSTACX deployments:
Elasticsearch
Any deployment specific to Magento 2, and any version that is using Elasticsearch; however, Elasticsearch states NO direct impact:
Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager, however we are making a fix available for an information leakage attack also associated with this vulnerability. Additional details below
More info on ES and Apache Log4j2>>
Ubuntu
For ubuntu OS, more information is required >>
Solr
For customers that are making use of our catalog search module that depends on Apache Solr, then please follow these steps:
- Contact aMiSTACX for patch
- Test in Development first!
- Upload zip contents to /home/ubuntu and designate file patch.solr.sh executable.
- Run via
sudo ./patch.solr.sh - Select menu item 1 or 2. Selection 2 is upgrade to log4j.
More info here >>
Misc.
If you are using our recommended CDN, Cloudflare, then their teams have already been proactive.
Tip: Make sure you use A51 w/ IP origin lists to keep only Cloudflare traffic hitting your EC2 servers.
Lead~Robot