
EasyPost Update Regarding CVE-2021-44228
by James Brown
EasyPost would like to assure customers that we are not affected by CVE-2021-44228opens in new tab (a.k.a. "log4shell"), the recently-published vulnerability in log4j2opens in new tab versions 2.0 through 2.14. EasyPost does not use any Java components in an Internet-facing capability, patched all affected internal components as soon as the vulnerability was announced, and has confirmed that no exploitation of our systems occurred.
We are still working with carrier partners to determine if any of them were affected and will share any findings with affected customers. We have also put in place mitigations to prevent our systems from being used as an attack vector against third parties.
We recommend all customers who use log4j2 anywhere in their infrastructure upgrade to log4j2 2.0.15 as soon as possible, or set the system property log4j2.formatMsgNoLookup to true if you are using version 2.10 or later. Additional useful information can be found in posts from Microsoftopens in new tab, Kasperskyopens in new tab, and LunaSecopens in new tab.
If you have any questions or concerns, please contact security@easypost.com.