Last week, a critical zero day vulnerability in the Apache log4j utility was published. The exploit, known as log4shell, allows arbitrary code execution on affected systems — many of which include servers that are part of the internet’s larger infrastructure and core services. At this time, we have no reason to believe Esper has been targeted, or that Esper, or devices running Android or Foundation, are generally vulnerable to the exploit in the first place.
For our customers concerned about the log4j vulnerability and the larger implications for the Android OS and Foundation, we understand that the security of your devices is paramount, and that the mission critical roles those devices serve means any threat is a serious one. However, we believe that certain factors make Android-specific exploitation a very unlikely (though not impossible) scenario under most circumstances.
The log4shell exploit relies on support for the Java Naming and Directory Interface (JNDI) to perform remote lookups, but JNDI is not natively supported by Android. Furthermore, log4j itself does not support Android (per this Stack Overflow thread by one of log4j’s maintainers), and the vast majority of Android applications use Android’s own logging library. In short: There is very little reason to believe log4shell is of particular danger to Android devices. If an application relies on web servers that are vulnerable to log4shell, it’s largely immaterial which operating system that application is running on, as the exploitation would occur on the server, not client, side.
While it would require significant effort to create an app that uses log4j on Android, you should still practice due diligence and check in with your development team and software vendors about their response to log4shell.
As part of our own investigation, Esper quickly identified and patched a small number of vulnerable tools in our own infrastructure. While our primary backend services don’t use Java, we do utilize some open-source components that are Java-based. For example, the Apache Flink framework is among the tools vulnerable to log4shell, and the developer of that framework published a mitigation which Esper implemented internally on our own systems earlier this week. Flink’s developer states there will be a full patch for the issue in the next one to two weeks, which we will promptly deploy. None of the systems we identified as vulnerable were customer-facing, and we’ve implemented fixes as they’ve become available.
We’ll continue to monitor the log4shell situation as it develops.