After investigation, we’ve concluded that we are not affected by log4shell.
Nevertheless we investigated any exposure we might have.
We don’t use log4j at all. However we discovered that a third-party dependency does.
We’ve configured our build project to ensure that the fixed version of log4j (2.16) is used by that third-party dependency.
We’ve verified this fix with multiple sets of eyes.
We built and deployed this updated version as a precaution.
Some other measures we use to protect Feature Upvote:
- Our application is protected by AWS WAF (Web Application Firewall), which gives us an additional layer of protection against the log4shell vulnerability, as well as other vulnerabilities.
- Once a month, a team member updates our app to use the latest versions of all our dependencies.
- Once a month, a team member ensures our servers are updated with all the latest security updates.
- When necessary we act immediately to install additional fixes.
None of these measures are sufficient by themselves. Together, however, when combined with the rest of our security-conscious processes, we aim to keep Feature Upvote safe from known and unknown security vulnerabilities.