Apache Log4j Vulnerability Response Note (December 14, 2021)

Summary

A critical vulnerability in Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) has been publicly disclosed that may allow for remote code execution, impacting products that use the library. After a comprehensive audit, all HYCU’s product and SaaS services are not impacted by this vulnerability.

Date of Publication

Dec 20th 2021

Description

This vulnerability only affects log4j versions between 2.0 and 2.14.1. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine. 

Once the vulnerability was identified, HYCU completed a comprehensive audit of all its software and services, and our support team has established that HYCU users are not impacted by the critical Apache Log4j vulnerability known as CVE-2021-44228. Based on our support team’s audit, there is no additional remediation required for any HYCU Software or Service at this time. 

Related to this incident, here are additional specifics for the HYCU software and services portfolio and any action that is required.

Software / Service

Description

Impact Statement

Action Required

HYCU Data Protection for Enterprise Clouds

Software used to protect customer’s on-prem infrastructure running VMware, Nutanix and physical servers

The solution does not use the affected library at this time. So, it is not exposed to this vulnerability

None Required

HYCU Data Protection as a Service for Google Cloud

Service used to protect workloads on Google Cloud Platform

The service did use the affected library. As soon as the patch was available, HYCU updated it on Dec 13th 2021 and service is not exposed to the vulnerability at this time

None Required

HYCU Data Protection as a Service for Azure

Service used to protect workloads on Microsoft Azure Cloud

The service did use the affected library. As soon as the patch was available, HYCU updated it on Dec 13th 2021 and service is not exposed to the vulnerability at this time.

None Required

HYCU Protégé for Office 365

Service used to protect customer’s data on Microsoft Office 365

This service does not use the reported library and thus is not vulnerable to it.

None Required

 

Update as of December 20, 2021

CVE-2021-45046 and CVE-2021-45105 are two additional vulnerabilities that were discovered in log4j library. HYCU Engineering team has analysed HYCU for Enterprise Cloud, HYCU Data Protection as a Service for Google Cloud and HYCU Data Protection as a Service for Azure and determined that the solutions/service not affected.

 

References

CISA - https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

Mitre CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45105

Apache - https://logging.apache.org/log4j/2.x/security.html

 

Was this article helpful?
2 out of 2 found this helpful

Comments

1 comment
  • Thank you all very much for posting these advisories to your support site! - Randy

    0

Please sign in to leave a comment.