Solved: The Log4j Security Issue - Does It Affect Square?

RuckusDonuts · ‎12-14-2021

Reading about the massive security threat the flaw in the Log4j open source code affecting hundreds of millions of systems worldwide who use it to track user activity and it begs to question - does Square utilize this code as part of its OS and, if so, are it's users vulnerable to being hacked as a result?

"New mysteries. New day. Fresh donuts" - David Lynch

isabelle · ‎12-30-2021

Hi all!

I appreciate you surfacing this question @RuckusDonuts. Apologies for the delay, but I am here with an official response from Square:

Background

A widespread remotely exploitable vulnerability in a critical Java dependency (log4j2, CVE-2021-44228) was recently discovered in the wild and there are reports of it being actively exploited. This vulnerability relies on user-supplied input being provided to the log4j2 logging stream, where the input can contain JNDI handler references, including the LDAP handler. This allows for remote code execution through the remote inclusion of a pre-compiled Java class from a remote location. This vulnerability can also be leveraged to perform DNS exfiltration from unpatched systems.

Log4j is a popular Java library developed and maintained by the Apache foundation. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java.

Response and Status

This security vulnerability has our full attention. Our operations and engineering teams across the company are working around the clock to assess impact and remediate the issue as quickly as possible. At present our security teams have not identified any adverse impacts to customer data or systems. We will continue to monitor and investigate the situation, we will notify our Sellers without undue delay if we identify any adverse impact to Sellers or their data.

Our security teams have also engaged current suppliers to ensure they’re actively working towards identifying and remediating this vulnerability as quickly as possible.

What Should I Do To Protect Myself?

For the services offered by Square, no action is required for Square Sellers. Remediation is being managed by Square on your behalf.

We strongly encourage Square sellers and partners who run this vulnerable version of Log4j to update to version 2.15.0, version 2.16.0 or apply vendor patches.

This is an ongoing event and we will continue to provide updates as we learn more.

️ Isabelle | she/her
Seller Community & Super Seller Program Manager | Square, Inc.
Learn about the Super Seller program!

View Best Answer >

Cube1 · ‎12-16-2021

RuckusDonuts · ‎12-16-2021

Me too Cube1. The fact it's got over 150 views and no reply from Square is........

"New mysteries. New day. Fresh donuts" - David Lynch

PJ7777 · ‎12-16-2021

Yes, waiting to update my company.

VanKalkerFarms · ‎12-18-2021

Definitely seems like something that should be addressed.

Bob Van Kalker
My Van Kalker Farms Garden Center website
My Rise'n Roll Bakery Schererville Indiana Facebook Page
My Rise'n Roll Bakery Cedar Lake Facebook Page

keicollective · ‎12-18-2021

I still talk to the tech company I used to work for and it took them days to fully test if they were vulnerable, and they continue to have a penetration specialist test their site. So it may take awhile for Square to know if the exact vulnerability affects them and if it does they'll have to work on how to best communicate to us about it. As a breach hasn't been reported, I'm assuming Square doesn't use AWS (the main target) or they might be on a different version of java? We'll see, but I'd be patient in hearing form them.

Andrea with Kei Collective - an artist collective with a shop in Phoenix, AZ

We're a Square Super Seller - We're here to help!

jeffb213 · ‎12-21-2021

Was just chatting with support about this. I had to convince them that is was real by sending the CISA.gov link and Salesforce's status page to get them to believe me.

Then, their response was "At the moment for us this information is new"! And gave me the link to this article.

They seem to really be on top of this!

VanKalkerFarms · ‎12-22-2021

I wouldn't expect the gereral help desk to be informed of top-level network admins activity on a potential hack. They are there to support you using the Square app, not the latest from DEF CON.

Bob Van Kalker
My Van Kalker Farms Garden Center website
My Rise'n Roll Bakery Schererville Indiana Facebook Page
My Rise'n Roll Bakery Cedar Lake Facebook Page

RuckusDonuts · ‎12-29-2021

Posted for two weeks & still no reply or even acknowledgment on Square's behalf. Threads get moved all the time so if this topic is best suited elsewhere please move it.

The fact that this has gone this long with zero acknowledge from Square is concerning, particularly if they faced legal ramifications if users suffered cyber attacks, malware or outright theft if a error in their OS was the reason.

"New mysteries. New day. Fresh donuts" - David Lynch

isabelle · ‎12-30-2021

Apologies for the delay!

️ Isabelle | she/her
Seller Community & Super Seller Program Manager | Square, Inc.
Learn about the Super Seller program!

isabelle · ‎12-30-2021

Hi all!

I appreciate you surfacing this question @RuckusDonuts. Apologies for the delay, but I am here with an official response from Square:

Background

A widespread remotely exploitable vulnerability in a critical Java dependency (log4j2, CVE-2021-44228) was recently discovered in the wild and there are reports of it being actively exploited. This vulnerability relies on user-supplied input being provided to the log4j2 logging stream, where the input can contain JNDI handler references, including the LDAP handler. This allows for remote code execution through the remote inclusion of a pre-compiled Java class from a remote location. This vulnerability can also be leveraged to perform DNS exfiltration from unpatched systems.

Log4j is a popular Java library developed and maintained by the Apache foundation. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java.

Response and Status

This security vulnerability has our full attention. Our operations and engineering teams across the company are working around the clock to assess impact and remediate the issue as quickly as possible. At present our security teams have not identified any adverse impacts to customer data or systems. We will continue to monitor and investigate the situation, we will notify our Sellers without undue delay if we identify any adverse impact to Sellers or their data.

Our security teams have also engaged current suppliers to ensure they’re actively working towards identifying and remediating this vulnerability as quickly as possible.

What Should I Do To Protect Myself?

For the services offered by Square, no action is required for Square Sellers. Remediation is being managed by Square on your behalf.

We strongly encourage Square sellers and partners who run this vulnerable version of Log4j to update to version 2.15.0, version 2.16.0 or apply vendor patches.

This is an ongoing event and we will continue to provide updates as we learn more.

️ Isabelle | she/her
Seller Community & Super Seller Program Manager | Square, Inc.
Learn about the Super Seller program!

RuckusDonuts · ‎12-30-2021

Thank you!!! Very appreciative of the detailed reply.

So how do we know if our versions of Square are vulnerable & require updating/patches?

"New mysteries. New day. Fresh donuts" - David Lynch

isabelle · ‎12-30-2021

I'm going to have to get back to you on that one @RuckusDonuts 🍩

️ Isabelle | she/her
Seller Community & Super Seller Program Manager | Square, Inc.
Learn about the Super Seller program!