Where people use software, hackers will continue to look for vulnerabilities. And every once in a while, a security breach comes to light, which shakes the world to its foundations. On Friday, December 10, 2021, a leak was added to the illustrious list of predecessors, this time a leak in Apache Log4j. The vulnerability has been designated CVE-2021-44228 and is also known as Log4Shell or LogJam.
The Apache Log4j 2 tool is part of the open-source Apache framework commonly used for logging Java applications. They found a high vulnerability in this tool that makes it possible for unauthenticated users to implement and run code fairly simply and remotely. This action happens under the same permissions as the respective Java application.
Because usage of this software in so many products and (cloud) applications, the risk is estimated to be very serious. The NCSC (Dutch Cyber Security Center) plays a central role in collecting and making information available. Available information regarding the vulnerabilities of the various software, possible status updates, and information about several internet providers, can all be found at https://github.com/NCSC-NL/log4shell.
What is Fuga Cloud doing about this?
We immediately dived into it to investigate whether this vulnerability also impacted our platform and systems. So far as it turns out, there is no cause for concern or alarm. Of course, we will continue to closely monitor and control the security of our platform and that of our suppliers, as our suppliers do in turn.
We also pay attention to monitoring our user subnets (internal systems, external systems of suppliers and possible abuse at our customers) so that we can immediately take action at the first suspicious indication.
Dedicated security professionals and software engineers have provided patches to address CVE-2021-44228/Log4shell. However, it is your responsibility to ensure that the services you host at Fuga Cloud are up-to-date and free of this critical log4j vulnerability.
What can you do yourself?
Check https://github.com/NCSC-NL/log4shell to see if the software you are using is listed there. Then check whether a solution is listed or follow the instructions/advice of the supplier. If you are unsure whether particular software is vulnerable, take a look at the supplier’s site. Chances are they already have some news. And if not, get in touch, because they know their product best.
We will continue to keep a close eye on and monitor everything. Where the security of our platform and products is compromised, we naturally take action. If something comes up that relates to you as a Fuga customer, we will communicate it through the various channels. In the worst case, this could be a direct email, but we assume that we can cover it with news articles and messages on the Fuga platform for the time being.