Is community impacted by Log4J vulnerability?

Khoros support is verry fast and answered me via case ticket:

Yes, Khoros uses log4j version 2.16.

---

khoros: Good job 👍

Good to see you happy 🙂

As for the news from this weekend, version 2.16 is also vulnerable, so the question arises whether the Khoros community is currently using version 2.17 already or when it will be used?

If anyone have infos concerning this, please share with us.

*fingers crossed*

---

tyw wrote:

I think the issue you're seeing is related to Web Application Firewall (WAF) changes that may have been made on your site. We hit this with the word 'localhost'. No matter what we did, that word caused a 403 error. 

After checking in with Support they asked me to review the WAF email and sure enough that was the culprit. 

---

The 403 forbidden error is definitely because of the WAF, and rightly so!

It's basically the 1st line of defense in preventing any kind of attack using the Log4Shell vulnerability. The WAF blocks "jndi" followed by ":" because that is a must in the string used to start the attack.

So even if you have a vulnerable server, the server will not receive any malicious strings because you're blocking it before it even gets sent to the server. 

The engineering teams worked very hard before the holidays to get everything locked down, updated, and fixed, and are continuing to be on top of this and other security issues. Site and data security is our top priority. 

HelgaMarieAuran's answer from her TAM is correct: 

"We completed a thorough investigation of our global infrastructure since we were made aware of the flaw on December 10 and found zero indication of any successful exploitation of this vulnerability in our environment. Further, we have identified and mitigated all of the known risks resulting from the vulnerability in our environment. As of 2021-12-11 2:45pm CT, all Khoros product infrastructure is considered mitigated against the known risk of this vulnerability.