To our valued customers,
On Friday, 10 December, the world became aware of a zero-day critical-severity exploit in the log4j2 logging library, CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
, known colloquially as "Log4Shell".
The Log4Shell vulnerability allows attackers to execute code on backend servers that log unescaped user input, thereby taking over these machines and potentially installing malware, stealing user data, and worse.
At Coralogix, we immediately responded by taking the following measures:
* The vulnerability is mitigated by running an up-to-date version of the JVM, which by default prohibits the capability that the vulnerability depends on. Our Security team worked with our Platform team to ensure that all of our JVM-based services are running a patched JVM.
* The vulnerability is mitigated by patching the log4j2 library to version 2.15 or later. For all of our in-house services, we have patched the log4j2 library and deployed the patched services into production.
* The vulnerability is mitigated by configuring the log4j2 properties to prohibit the capability that the dependency depends upon. In the case of services which we have procured from a vendor, we have deployed the log4j2 properties file patch accordingly while we wait for our vendors to issue a patch.
At Coralogix, we use an internal instance of Coralogix to monitor our production systems. We have detected cases of attackers attempting to exploit Log4Shell, but none of these attempts have been successful. No Coralogix systems have been compromised.
As such, we are confident that our systems are fully patched against Log4Shell.
As a customer, no action is required on your part.
- Some customers may be using a custom Coralogix log4j2-appender library to send logs to Coralogix. If you are one of these customers, you are encouraged to update to the patched version 2.0.8, which uses log4j2 2.15. The new version is available on our JFrog repository: https://jfrog.coralogix.com/artifactory/maven/com/coralogix/sdk/log4j2-appender/2.0.8/log4j2-appender-2.0.8.jar
- In case you are using logstash, please distinguish between:
1. Coralogix logstash docker image - please make sure you are using the latest version (https://hub.docker.com/r/coralogixrepo/logstash-coralogix-image/tags
2. Undockerized Logstash - please make sure you are using JDK version 11.0.2 and above (with regards to recommendations provided by Elastic - https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476