On December 10, 2021, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) reported that the Apache Software Foundation released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this JNDI (Java Naming and Directory Interface)vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. CISA has encouraged users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. Also, on December 13, 2021, CISA announced the formation of a designated web page to track the Log4j vulnerabilities in partnership with the Joint Cyber Defense Collaborative.
Archive360 conducted a threat analysis and can confirm thatArchive360’s Archive2Azure platform is not impacted by the Log4j vulnerability. Log4j is present within our Elastic search functionality, which has prompted a critical review of potential vulnerability exploits, and resulted in the following findings:
Archive360 uses Elasticsearch 6.8 and higher which is not susceptible to remote code execution (RCE) with this vulnerability due to the use of the Java Security Manager.
Archive360 Elasticsearch runs on JDK13 and higher. However, it was identified that Elasticsearch running on JDK8 or below is susceptible to an information leak via DNS.
Archive360 is not impacted by this possible leak due to the higher JVM version. However, out of an abundance of caution Archive360 will add the following explicit option to the JVM -Dlog4j2.formatMsgNoLookups=true.
The Archive360 Elasticsearch cluster (see note) is not publicly accessible.
Archive360 will continue to monitor this vulnerability exploit and report back further with updates and recommended actions to its customers. In the interim, Archive360 is taking the following next steps:
The JVM property -Dlog4j2.formatMsgNoLookups=true will be set as default out of an abundance of caution.
Remove from Elasticsearch certain components of Log4j out of an abundance of caution.
Add an additional NSG in front of the Elastic search cluster out of an abundance of caution.
Thank you for your consideration of this Statement. If you have questions or concerns, please contact your Archive360 Sales representative or ceo@archive360.com.
James M. McCarthy
Chief Compliance Officer & General Counsel
Note: “Cluster” refers to the series of virtual machines utilized by Archive360 to host search indexes