Scalefusion Security Advisory for Apache Log4J2 Vulnerability
Issue Description
Scalefusion Team is aware of the critical security vulnerability that was discovered in the Apache Log4J2 library i.e CVE-2021-44228. This vulnerability if exploited, allows an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Though a patch was released for CVE-2021-44228, however the patch was deemed incomplete and a new vulnerability is reported CVE-2021-45046.
Here we have captured the action taken and the current status.
Handling by Scalefusion
Current Status:
- CVE-2021-44228: All Systems & Modules Patched to handle
We identified all the modules and systems that consume the library that were vulnerable to the attack and necessary action was taken immediately. As it stands none of our software uses the version of the library that is prone to exploits. - CVE-2021-45046: All Systems & Modules Patched to handle
We identified all the modules and systems that consume the library that were vulnerable to the attack and necessary action was taken immediately. As it stands none of our software uses the version of the library that is prone to exploits.
Impact of the Vulnerability on Scalefusion Cloud Infrastructure
- CVE-2021-44228: None.
We have investigated the potential impacts on our cloud infrastructure and have found no evidence that this vulnerability was exploited before we had patched all our systems. - CVE-2021-45046: None
We have investigated the potential impacts on our cloud infrastructure and have found no evidence that this vulnerability was exploited before we had patched all our systems.
What should Customers Do?
No Action Required.
There is no action required from our customers who are using Scalefusion Online or Cloud based services.
If you have any questions or comments, please reach out to [email protected]
