ETPA is aware of the vulnerability in Apache Log4j (CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints). Via this post we would like to give you an update on our status and situation related to this vulnerability.

Is ETPA affected?
ETPA has done an internal investigation into possible malicious use originating from the CVE-2021-44228 vulnerability. The scope of the investigation included our core trading systems, libraries, third party integrations and services as well as all auxiliary services hosted or used by ETPA. Earlier this week we found one potential risk with a third party software ETPA utilises. The software is used to monitor certain parts of this system and therefore did not pose a direct risk to any of the trading systems or expose any sensitive information. The third party software has been upgraded and is no longer a risk. All third-party suppliers have assured us that there are no existing risks to our information or the reliability of their service. 

Security at ETPA
At ETPA we are continuously working on having the highest possible security standards. We actively keep all of our services and libraries up to date by doing frequent updates. ETPA has done many risk assessments of its security throughout the past months and years.  Next to that we design our applications and systems with ‘security by design’ principle and have highest standards on active monitoring.

If you have any questions or suggestions please let us know.

support@etpa.nl

Helpful links and more information about log4j:

• https://www.ncsc.nl/actueel/nieuws/2021/december/15/kwetsbaarheid-in-apache-log4j-patch-versie-2.15
• https://logging.apache.org/log4j/2.x/security.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228