Press Release

Cybersecurity Announcement - Log4j

Event Summary

On December 9, 2021, security professionals publicly announced a zero-day vulnerability in Log4j, a logging tool offered by the Apache Foundation. The vulnerability exists in versions prior to 2.15.0 and is documented in CVE-2021-44228 with the highest CVSS score (10.0).

Event Impact

If exploited, the attacker can remotely execute code on servers running a vulnerable version of Log4j. A successful attack may allow attackers to redirect incoming JNDI lookups to a remote codebase forcing the vulnerable server to execute the potentially malicious code. 

ARCA Response

Immediately following the announcement, ARCA security and engineering teams began evaluating all ARCA products and internal services for any potential impact. ARCA has identified no components in the scope of the vulnerability.

Actions to Consider

If you’re a technical company with exposure to the vulnerability, patch Log4j instances to version 2.16 as soon as possible. This version is available for download on Apache’s website.

If unable to patch vulnerable components, we recommend one of the following mitigations:

  • Set the system property "log4j2.formatMsgNoLookups" to "true"
  • Remove JndiLookup class from the classpath

For more information

Visit CISA’s dedicated Log4j Vulnerability Guidance page at Apache Log4j Vulnerability Guidance | CISA.


About ARCA

ARCA’s solutions help people control and streamline cash operations in financial institutions, retail stores, and self-service kiosks around the world. We develop technology and services that make transactions simpler, more efficient and more secure. Visit arca.com for more information.

Media Contact

John Cline
ARCA Communications 
1151 Holmes Rd.
Mebane, NC 27302
Tel. (919) 442-3042
j.cline@arca.com