Acumatica took action to analyze any potential issues related to the recent Common Vulnerabilities and Exposures (CVE-2021-44228 / Log4j also known as Logshell / Logjam) and determined that there is no immediate threat to Acumatica users. Using the Remote Code Execution vulnerability in the Apache Log4j open source-component an attacker can potentially run malicious code that can perform unauthorized operations. This is defined by the Common Vulnerability Scoring System (CVSS) as a level 10 exploit.
The Acumatica SAAS platform does not utilize Apache Log4j rather our environment operates through Microsoft IIS hosted services. Although our environment is not susceptible to this vulnerability, we monitor and assess our environment for vulnerabilities across our hosted products to protect both SaaS and self-hosted customers and issuing security bulletins with instructions on how to remediate for self-hosted installations.
Acumatica uses a mature formal process to handle vulnerabilities that are identified both internally and externally. We have a robust, dedicated, full-time threat intelligence team with an Acumatica-wide view, that is constantly reviewing new reports of vulnerabilities, threats and compromises for possible impact to our products and network.
Acumatica operates a Secure Development Lifecycle that includes among other practices, a Supply Chain Security practice, third-Party Component Manifest and a Third-Party Component Monitoring. Using these formal practices, we ensure third-party components are sourced from trusted repositories, scanned and tested, free of known CVEs, and signed to ensure authenticity and integrity. New vulnerabilities are scanned and tracked to ensure closure. Unsupported third-party components are deprecated.
Acumatica has a formal practice of secure software coding that is designed to protect against malicious code, backdoors, transitive dependency-based vulnerabilities and other threats.
Acumatica actively patches and imposes mitigation measures where appropriate for vulnerabilities like Log4j. Zero-Day and Critical vulnerabilities are fast tracked and delivered outside the product’s major point release cycle. We rank potential patches according to CVSS scoring, and our own enhanced scoring system that takes additional data points into account. Configuration changes or patch installations require Quality Assurance analysis and testing prior to deployment to production systems to prevent unexpected service interruptions.