Summary
A critical vulnerability in Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) has been publicly disclosed that may allow for remote code execution, impacting products that use the library. After a comprehensive audit, all HYCU’s product and SaaS services are not impacted by this vulnerability.
Date of Publication
Dec 20th 2021
Description
This vulnerability only affects log4j versions between 2.0 and 2.14.1. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine.
Once the vulnerability was identified, HYCU completed a comprehensive audit of all its software and services, and our support team has established that HYCU users are not impacted by the critical Apache Log4j vulnerability known as CVE-2021-44228. Based on our support team’s audit, there is no additional remediation required for any HYCU Software or Service at this time.
Related to this incident, here are additional specifics for the HYCU software and services portfolio and any action that is required.
Software / Service |
Description |
Impact Statement |
Action Required |
---|---|---|---|
HYCU Data Protection for Enterprise Clouds |
Software used to protect customer’s on-prem infrastructure running VMware, Nutanix and physical servers |
The solution does not use the affected library at this time. So, it is not exposed to this vulnerability |
None Required |
HYCU Data Protection as a Service for Google Cloud |
Service used to protect workloads on Google Cloud Platform |
The service did use the affected library. As soon as the patch was available, HYCU updated it on Dec 13th 2021 and service is not exposed to the vulnerability at this time |
None Required |
HYCU Data Protection as a Service for Azure |
Service used to protect workloads on Microsoft Azure Cloud |
The service did use the affected library. As soon as the patch was available, HYCU updated it on Dec 13th 2021 and service is not exposed to the vulnerability at this time. |
None Required |
HYCU Protégé for Office 365 |
Service used to protect customer’s data on Microsoft Office 365 |
This service does not use the reported library and thus is not vulnerable to it. |
None Required |
Update as of December 20, 2021
CVE-2021-45046 and CVE-2021-45105 are two additional vulnerabilities that were discovered in log4j library. HYCU Engineering team has analysed HYCU for Enterprise Cloud, HYCU Data Protection as a Service for Google Cloud and HYCU Data Protection as a Service for Azure and determined that the solutions/service not affected.
References
CISA - https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
Apache - https://logging.apache.org/log4j/2.x/security.html
Comments
Thank you all very much for posting these advisories to your support site! - Randy
Informative article!
Please sign in to leave a comment.