Log4j RCE Vulnerability

Incident Overview

On Dec 10th, 2021 the Cybersecurity & Infrastructure Security Agency (CISA) released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

Proposed Remedy

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.

GRAX Impact

Log4j is not used directly in the GRAX runtime, and thus there is no direct impact or remediation needed in GRAX’s code base.

However, Log4j is used in the open source ElasticSearch project, which is a part of GRAX’s infrastructure. Elasticsearch for GRAX is provided by either Bonsai.io or AWS (AWS OpenSearch).

On Dec 10, Elastic.co published an advisory indicating that Elasticsearch is NOT vulnerable to the Remote Code Execution exploit: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.

Subsequently, our hosted ElasticSearch provider, Bonsai.io , issued the following statement concluding the issue is resolved for their service with no customer impact: https://status.bonsai.io/incidents/vp4k7qb4gtjn.

AWS OpenSearch is a fork of the main ElasticSearch codebase. AWS released a security bulletin on the issue indicating that AWS OpenSearch environments will be updated automatically with no customer action necessary: https://aws.amazon.com/security/security-bulletins/AWS-2021-005/.