We got a email from Auth.net saying there was a global java vulnerability with Java and wanted to know if the Auth.net payment plugin you provide is affected in anyway.
See email below:
We are aware of the vulnerability recently identified that affects websites or applications using Java, specifically the log4j versions 2.0 – 2.14.1. These versions primarily use the "jndi:" logging.
While we realize that this is a global Java vulnerability that many organizations around the world are becoming aware of, we want to assure you that we are addressing this finding with the utmost priority and are actively working to update our systems to the log4j version 2.15. We strongly recommend that you review all of your applications and do the same.
In order to mitigate additional vulnerabilities, you or your web developer or solution provider should switch any current log4j2.formatMsgNoLookups to a status of true by adding:"‐Dlog4j2.formatMsgNoLookups=True" to the JVM command used for starting the application.
Additionally, to help prevent the library being exploited, we urgently recommend that any Java Log4j versions are upgraded to log4j-2.15.0-rc1.
Please contact your developer, application solution, and/or hosting provider for further assistance in identifying your business applications requiring this update.
More information regarding this vulnerability finding can be found
here
.
We will provide additional updates on our timelines of updates to our Authorize.net systems
here
.
Thank you for your attention to this urgent matter.
Sincerely,
Authorize.net
