Statement on the recent Log4j security vulnerability

A Meetup is scheduled at the Austin Office for September 24th, 2024. Interested attendees or speakers are encouraged to express their interest. Recently, a severe remote code execution vulnerability (CVE-2021-44228), known as Log4Shell, was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. This vulnerability affects many Java applications using the Log4j library. Coder's security model enforces authentication and restricts user access to their own workspaces, making it unlikely for Coder workspaces to be affected by this vulnerability. The company is working with its upstream vendors to investigate and patch any vulnerable applications as a preventive measure against potential security risks. JetBrains has released a statement confirming that all IntelliJ platform-based IDEs and Gateway are not affected. Coder uses Kubernetes network policies to prevent data exfiltration, requiring connections to pass through an authenticating proxy. The company's built-in security controls on DevURLs allow administrators to enforce installation-wide policies such as user authentication via the organization's identity provider.