EasyPost Update Regarding CVE-2021-44228

by James Brown

EasyPost would like to assure customers that we are not affected by CVE-2021-44228opens in new tabopen_in_new (a.k.a. "log4shell"), the recently-published vulnerability in log4j2opens in new tabopen_in_new versions 2.0 through 2.14. EasyPost does not use any Java components in an Internet-facing capability, patched all affected internal components as soon as the vulnerability was announced, and has confirmed that no exploitation of our systems occurred.

We are still working with carrier partners to determine if any of them were affected and will share any findings with affected customers. We have also put in place mitigations to prevent our systems from being used as an attack vector against third parties.

We recommend all customers who use log4j2 anywhere in their infrastructure upgrade to log4j2 2.0.15 as soon as possible, or set the system property log4j2.formatMsgNoLookup to true if you are using version 2.10 or later. Additional useful information can be found in posts from Microsoftopens in new tabopen_in_new, Kasperskyopens in new tabopen_in_new, and LunaSecopens in new tabopen_in_new.

If you have any questions or concerns, please contact security@easypost.com.