On December 9th, security experts warned about an Apache Log4j vulnerability with the potential to be destructive. Many systems are still vulnerable to cyber attacks from this method, known as Log4Shell.
How harmful can the Log4Shell exploit be on a server?
Log4Shell is a zero-day exploit that allows an attacker to trick Log4j into downloading a malicious package that runs on the server. This package can then steal data and use the server for other malicious tasks.
Is my FileMaker solution impacted?
Here is Claris’ official statement on this issue. Some trace of the java library in question has been found in every version of FileMaker Server, except for FileMaker Servers 18 and 19. The Log4j can also be found on websites, web components (such as WordPress plugins), FileMaker plugins, etc.
Find more information on the Log4Shell exploit here.
Does this affect my solution if there is no external access to the local network?
Unfortunately, this configuration is still vulnerable to attack. A machine inside the network could be exploited separately and used to attack the server.
What can I do to protect my solution?
The only solution that will only mitigate the risk is to update your server to either FileMaker Server 18 or 19. Some other components or software may still have a vulnerable version of the Log4j library, such as a FileMaker plugin or a web site/component.
Contact your FileMaker consultant before updating your server, as all mitigation measures should be done on a case-by-case basis with the appropriate precautions. You can reach out to us here if you have questions about updating, or if you are considering updating your server.
This article is intended for informative purposes only. Please consult your FileMaker developer before making any changes to your solution.