Published on 14 Dec 2021 - Updated on 23 Dec 2021
On December 9th, 2021, a vulnerability in the Log4J Java library was identified (log4j CVE-2021-44228). This library is widely used for logging error messages in applications. If exploited, it could allow a bad actor (security hacker) to control java-based web servers and execute a ‘remote code execution’ (RCE) attack - providing the bad actor to take control of a system.
On December 15th, 2021, the open-source patch for the original Log4J exploit was identified to have its own vulnerability (CVE-2021-45046). A newer version of the open-source patch (v 2.16.0) is not available and should be applied by systems to remove and potential for exploit.
We will be using this blog post to provide updates on the ExaVault review of the Log4J vulnerability as well as any mitigation or remediation that may be required.
2021-12-23 @ 04:00 PM (PT)
All affected systems in the ExaVault services have been updated or patched for the log4j CVE-2021-44228 and CVE-2021-45046 exploit. We will continue monitor any news or developments around Log4J and continue to run version updates for all systems as they are available.
2021-12-17 @ 02:30 PM (PT)
All customer-facing software patches are current with latest version and protected against both the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
2021-12-17 @ 07:00 AM (PT)
Team adds the new Log4J 2.15.0 Patch Vulnerability (CVE-2021-45046) to our internal audit process. While our application software still has no instance of logj4, we are reviewing any previous system software updates using Open Source to confirm they are applying the newly released version 2.16.0 patch.
2021-12-15 @ 04:00 PM (PT)
All agents in our performance management software have been upgraded to patch the Log4J vulnerabilities. All customer-facing software is now up-to-date and protected from the log4j CVE-2021-44228 exploit.
2021-12-14 @ 12:20 PM (PT)
During internal audit, identified a potential vulnerability in our performance management software (customer-facing). Engineers are currently reinstalling the latest agent version provided to correct any Log4J vulnerabilities.
2021-12-13 @ 02:00 PM (PT)
During internal audit, identified two libraries in our logging system (internal, non-customer-facing) with potential vulnerabilities. Both potentially vulnerable libraries have released new versions today to remove logj4. Engineers are currently reinstalling the latest versions to correct the two impacted libraries.
2021-12-13 @ 01:30 PM (PT)
Audit started to review all system software to confirm there are no other impacts to the ExaVault service or if there are remediations our customers need to consider.
2021-12-13 @ 01:00 PM (PT)
Engineering team completes initial review of and confirms ExaVault application software is not impacted by Log4J.
Team becomes aware of vulnerability and begins to monitor available reports from reputable sources.