Security Update on Log4j 0-Day Vulnerability

Security Update on Log4j 0-Day Vulnerability

Security Update on Log4j 0-Day Vulnerability

Treasure Data is aware of a security vulnerability affecting the open-source Apache “Log4j” utility (CVE-2021-44228) and is providing this update to customers with questions about this vulnerability. Treasure Data has completed mitigation efforts related to this vulnerability, and our ongoing investigations have uncovered no evidence of any impact to the confidentiality, integrity, or availability of data stored in the Treasure Data platform.

Background

A security vulnerability was disclosed on December 10, 2021 affecting Apache Log4j versions 2.0 to 2.14.1. The vulnerability consists of a 0-day exploit in the Java logging library log4j2 that can allow attackers to perform Remote Code Execution (RCE) by exploiting scenarios where a malicious payload can be written to the log.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

Treasure Data Security Enhancements

Immediately after becoming aware of the vulnerability, investigations were launched to understand the potential impact to:

  • Treasure Data-owned source code and services
  • Treasure Data client libraries
  • Third-party services integrated into the Treasure Data platform

Our team has addressed the vulnerability in all Treasure Data code and services by upgrading all vulnerable instances of the Log4j utility across our environment to version 2.15 or later or by adding a “log4j2.formatMsgNoLookups=True” flag to the startup configuration. Treasure Data has also implemented additional network-based controls to provide another layer of visibility and protection against third-party services who have not completed their mitigation efforts. Treasure Data has also confirmed that client libraries were not impacted by this vulnerability.

Next Steps

Treasure Data will continue to monitor the situation and provide additional updates as necessary. No customer action is required at this time as a result of this vulnerability. Treasure Data will continue to work with third-party services to ensure there are no gaps in our protection against this vulnerability.

Get Treasure Data blogs, news, use cases, and platform capabilities.

Thank you for subscribing to our blog!

Aysha Khan
Aysha Khan
Aysha Khan is the Head of Security at Treasure Data, a leading enterprise CDP with more than 450 clients globally. Aysha is a cybersecurity leader with over 21 years of experience managing Information Security at Fortune 500 companies. She is passionate about driving business results by aligning strategy with agile execution. Aysha has a proven track record in building Security and Trust functions from the ground up and turning disjointed organizations into cohesive and collaborative environments.
Related Posts