Log4j RCE Vulnerability

Incident Overview

On December 10, 2021 the Cybersecurity & Infrastructure Security Agency (CISA) released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

Proposed Remedy

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigation steps immediately.

GRAX Impact

Log4j isn't used directly in the GRAX runtime, and thus there is no direct impact or remediation needed in GRAX’s codebase.

However, Log4j is used in the open source ElasticSearch project, which is a part of GRAX’s infrastructure. Elasticsearch for GRAX is provided by either Bonsai.io or AWS (AWS OpenSearch).

On Dec 10, Elastic.co published an advisory indicating that Elasticsearch isn't vulnerable to the Remote Code Execution exploit here.

Subsequently, our hosted ElasticSearch provider, Bonsai.io, issued the following statement concluding the issue is resolved for their service with no customer impact: https://status.bonsai.io/incidents/vp4k7qb4gtjn.

AWS OpenSearch is a fork of the main ElasticSearch codebase. AWS released a security bulletin on the issue indicating that AWS OpenSearch environments are to be updated automatically with no customer action necessary: https://aws.amazon.com/security/security-bulletins/AWS-2021-005/.