The Log4j makes an appearance
A recent zero-day vulnerability impacting the Apache Log4j library was made public on December 9, 2021, and assigned the tag, CVE-2021-44228, scoring 10 of 10 on the Common Vulnerability Scoring System (CVSS).
The team at Hexnode is aware of this exploit. Nonetheless, we would like to assure our customers that none of our products, services, websites, and internal or third-party infrastructure uses the Apache Log4j module for logging purposes, and hence, are not affected by this vulnerability.
We will continue to track updates around this vulnerability and will offer more information as they become available.
What is the Log4j vulnerability?
Log4j is a popular Apache library used for logging errors and events in Java-based applications. It enables developers to view system activity logs and keep an eye out for any problems. However, with the recent vulnerability, it has been discovered that an attacker can insert a JNDI lookup which, when logged, can perform remote code execution. This in turn enables the attacker to break into the system, steal passwords and logins, and install malicious software.
According to CVE-2021-44228,
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Who are at risk?
Any Java-based software that uses the Log4j library, and runs Apache Log4j versions 2.0 to 2.14.1, are affected by these vulnerabilities. According to Google’s Open Source Insights, more than 35,000 Java packages, amounting to over 8% of the Maven Central repository (The most significant Java package repository), have been impacted by log4j vulnerabilities.
How can you protect yourself?
- Identify systems running the Apache Log4j library and patch them to the latest version (Versions 2.17.0, 2.16.0, and 2.15.0 have been patched or are currently unaffected by this vulnerability).
- Install updates and security patches provided by your tools and third-party vendors.
- Set your web application firewall to block Log4j library modules.
Log4j vulnerability overview – Hexnode is not affected
Following the Log4j exploit, Hexnode conducted a comprehensive security impact assessment to identify any potential vulnerabilities that may have arisen. The following are the results from the assessment.
- The Hexnode UEM cloud platform does not run on Java or use the Log4j library and is unaffected by this vulnerability.
- Similarly, our internal infrastructure does not run on Java or uses the Log4j library and is thus unaffected.
- All of our third-party tools and services that use Java have been thoroughly inspected and confirmed, and are found to be unaffected by these vulnerabilities.
We’re here for you
In the wake of this vulnerability, we understand that many of our customers and partners are concerned about Log4j’s potential threats to data security. You can rest assured, Hexnode is unaffected, and we do not anticipate any downtime.
As part of our standard operating procedure, we will continue to monitor the situation including third party services we use. If you have additional questions, you can always reach out to mdm-support@hexnode.com.
Share your thoughts