LoanPro experienced a notice incident on December 11, 2021 affecting LoanPro - LMS Web Application and LoanPro - LMS API and 1 more component, lasting —. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- resolved Dec 11, 2021, 03:59 AM UTC
Java Vulnerability As part of our ongoing monitoring of all systems and our Security certifications, we are always monitoring system vulnerabilities. We are aware of a serious vulnerability recently identified that affects websites or applications using Java, specifically the log4j versions 2.0 – 2.14.1. These versions primarily use the "jndi:" logging. Although this is a global Java vulnerability that many organizations around the world are becoming aware of, we want to assure you that LOANPRO HAS ALREADY ADDRESSED THIS ISSUE in all of our Applications. LoanPro keeps a strict security vulnerability assessment and patch management operational procedures, resulting in vulnerabilities such as this one being addressed swiftly. We strongly recommend that each of our clients that use Java for any of your homegrown systems do the same. In order to mitigate additional vulnerabilities, you or your web developer or solution provider should switch any current log4j2.formatMsgNoLookups to a status of true by adding:"‐Dlog4j2.formatMsgNoLookups=True" to the JVM command used for starting the application. Additionally, to help prevent the library from being exploited, we urgently recommend that any Java Log4j versions are upgraded to log4j-2.15.0-rc1. Please contact your developer, application solution, and/or hosting provider for further assistance in identifying your business applications requiring this update. More information regarding this vulnerability finding can be found https://www.lunasec.io/docs/blog/log4j-zero-day/ https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/ Thank you for your attention to this urgent matter. Sincerely, LoanPro Team