Visual-Meta and its internal developer team became aware of a potential security incident on Friday, December 10th, which had a global impact across many software services and providers. A zero-day vulnerability to a widely used Apache component called log4j was announced. This vulnerability is limited to certain versions of the library and has already been resolved in the currently released version, but nonetheless could in that brief time period exploited by a bad actor(s).
UPDATE December 22st, 2021, 5 pm CET
Visual-Meta updated all affected components to version 2.17. We closely monitor the situation and will act immediately when another serious vulnerability occurs.
UPDATE December 21st, 2021, 1 pm CET
Even though we managed to update all our systems in no time to 2.16, Suspicion of a Denial-of-Service bug affecting the same version was found. This bug can cause an infinite recursion of our services and therefore the application will crash.
Currently, we are in the process of upgrading all the systems again. We are monitoring for any compormise or exploitation but haven’t found anything so far. We will keep this page updated.
UPDATE December 16th, 2021, 4 pm CET:
Visual Meta has evaluated our externally exposed systems and has mitigated most services. To thoroughly test the remaining solution, we have delayed some changes until the end of the day Friday.
An additional low-risk vulnerability (CVE-2021-45046) has been reported that was introduced by a recommended fix. We are in the process of modifying any systems that used that mitigation to eliminate that risk.
No evidence of compromise or exploitation has been found and our teams continue to monitor for any malicious activity or further developments.
We are continuing to evaluate the status of our suppliers as information becomes available.