EasyPost Update Regarding CVE-2021-44228
by James Brown
EasyPost would like to assure customers that we are not affected by CVE-2021-44228 (a.k.a. "log4shell"), the recently-published vulnerability in log4j2 versions 2.0 through 2.14. EasyPost does not use any Java components in an Internet-facing capability, patched all affected internal components as soon as the vulnerability was announced, and has confirmed that no exploitation of our systems occurred.
We are still working with carrier partners to determine if any of them were affected and will share any findings with affected customers. We have also put in place mitigations to prevent our systems from being used as an attack vector against third parties.
We recommend all customers who use log4j2 anywhere in their infrastructure upgrade to log4j2 2.0.15 as soon as possible, or set the system property log4j2.formatMsgNoLookup to true if you are using version 2.10 or later. Additional useful information can be found in posts from Microsoft, Kaspersky, and LunaSec.
If you have any questions or concerns, please contact security@easypost.com.