CVE-2021-44228 (log4j RCE)

 

Using specific HTTP request, it was possible to exploit bug CVE-2021-44228 on Raley Purchase Orders AppServer. According to Common Vulnerability Scoring System this qualifies as critical vulnerability. The issue was identified by Atlassian security testing just after discovery of the original vulnerability. The testing was performed on  2021/12/13. The patch was implemented and rolled out to production on the same day.

Based on our investigation, such malicious HTTP requests were not fired before on our production instance, thus there’s very unlikely that this vulnerability have been used by a hacker.

As the app was patched immediately no further action is required from you

 

For any questions, please contact us via support@raleyapps.com or by raising a ticket on our JSM portal: https://inversionpoint.atlassian.net/servicedesk/customer/portal/3