As you probably noticed, a new vulnerability in log4j, a logging framework used in Java-based applications, is impacting companies worldwide. If correctly exploited, attackers may use the vulnerability to gain remote access and inject malicious code damaging business applications, servers, or IT systems.
Oro’s technical team monitored any potential exposure to log4j vulnerability and analyzed steps to protect systems. Our assessment determined that Oro has no exposure to this vulnerability. That means all supported Oro applications, including OroCommerce, OroCRM, OroMarketplace, as well as any applications running on OroCloud are not affected.
First of all, Oro is PHP-based and does not run on Java.
While Oro uses the Elasticsearch search engine, it’s been cleared free of this vulnerability.
Oro’s Elasticsearch instance is located on a dedicated server and only accepts Oro code requests. Furthermore, Oro uses updated Elasticsearch versions with corresponding versions of JDK and JSM, making it impervious to either remote code execution or information leakage.
If your Oro instance is deployed on-premise, you should check and upgrade your Elasticsearch instance, or apply the JVM setting as recommended on Elastic’s website if needed.
We understand that this vulnerability is a major source of worry for our customers. We continue monitoring the situation and keep in close contact with vendors for any recommendations. If we identify systems frequently used with Oro that may be impacted by this vulnerability, we’ll let you know as soon as possible.
We also recommend checking whether your other software could be affected using this link and contacting vendors for patches and other corrective measures.
We will update this post as more information becomes available.