Quant Retail Statement on log4j / log4shell

Similar to the rest of the industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library log4j (all versions between 2.0 and 2.14.1 are vulnerable).  

The same day we audited all our systems. Fortunately, we have not had a vulnerable version directly within Quant. We had several vulnerable applications on servers and internally that we patched on the first day and according to audits of all log files, we did not even detect any successful exploit attempt a month back. 

We are constantly monitoring the situation. Due to the fact, that directly within Quant there is no threat, you do not have to worry and no updates are needed.

Od Dana: The affected applications are isolated, so in the event that the vulnerability got exploited or a new vulnerability was found, those applications would not be able to access customer data.