Cloudsmith Not Impacted By CVE-2021-44228 (log4shell / log4j)
Following a security audit, we confirm that CVE-2021-44228 does not impact the Cloudsmith service.
Updates
- 2021-12-22: Moved mitigation advice to the All About Log4j/Log4Shell article.
- 2021-12-20: Suggested log4j
2.17.0
instead due to a DoS exploit in2.16.0
. - 2021-12-15: Suggested log4j
2.16.0
instead due to a DoS exploit in2.15.0
.
Background
The log4j
library, part of the Apache Software Foundation (ASF), is a general and commonly utilized logging framework for Java. The framework allows developers to log data (incl. user-based) in their applications.
On 10th December 2021, a critical severity Remote Code Execution (RCE) exploit disclosure for log4j
was published, as CVE-2021-44228, affecting versions below 2.15.0
. The vulnerability has been coined as Log4Shell.
As reported to Apache by Alibaba on 24th November 2021, the exploit has been characterized as one of the most impactful last decade. Apache assigned the exploit a CVSS rating of 10, the highest available score.
Applications that utilize the log4j
library, where bad/malicious actors can influence what is sent to logging, can be exploited with well-crafted strings that cause arbitrary (user-provided) code to be executed on the server.
Is Cloudsmith impacted?
In short: No. We confirm that CVE-2021-44228 does not impact the Cloudsmith service following a security audit. As per our last announcement regarding ISO27001 certification, we're highly committed to security and privacy, and we'll do everything we can to assist with ensuring that our customers, and your customers, remain secure too.
Should I be concerned?
Although Cloudsmith is not impacted, the exploit is exceptionally high impact and highly commonly used, so developers and users of affected software should take it utmost seriously. Immediate action is required to identify and mitigate the software and environments impacted.
How can I mitigate the issue?
Updated: Please refer to our in-depth blog article on the issue, in which we provide the background, impact, identification and remediation (mitigation) advice for log4j
/ log4shell
.
Next Steps
We'll be following this announcement with additional assistance and advice that we can provide to help users identify affected packages hosted and distributed from Cloudsmith. (released now, see above.)
If you have any questions about the exploit, need any additional help with identification or mitigation, or have any general concerns, please don't hesitate to get in touch with us.
The exploit is a bad one, so #hugops to everyone. We're here for you, so lean on us if you need to!
Learn More
Please visit the following resources to learn more about Log4Shell:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html
- https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
- https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/
Liked this article? Don\'t be selfish (:-), share with others: Tweet