Introduction

On 10th December 2021, a critical vulnerability CVE-2021-44228 - referred to as Log4Shell - was disclosed. Many large software companies and online services are affected such as Amazon, Apple iCloud, Cisco, ElasticSearch, Tesla, Twitter and many more. This article summarizes the results of our investigation to date.

Description

The vulnerability is caused by Apache Log4j which is a Java-based logging library used in many products and applications. The vulnerability allows an attacker to execute their own code on a remote server, a so-called Remote Code Execution (RCE) and potentially take full control of the system. Services and systems that use Apache log4j library between versions 2.0 and 2.14.1 are affected.

What have Papirfly done?

We scanned our infrastructure to identify vulnerable applications and services. Here is a list of our findings and actions taken:

• None of Papirfly’s Internet-facing applications use Log4j directly.

• We found one application that includes an older version of Log4j (pre 2.0) that is not affected by this vulnerability.

• We found one application, Elasticsearch 7.12.0, that includes Log4j 2.11.1 that is affected by this vulnerability. This application is not available from the public Internet and is only sent sanitised input from the Papirfly service, so we do not believe an attacker can exploit the vulnerability against Elasticsearch. Nevertheless, out of an abundance of caution, we have taken the following actions:

  • (09:10 UTC — Dec 13) : Following advice from the authorities and the vendor, we implemented configuration changes and restarted services to immediately mitigate the vulnerability.
  • (11:30 UTC — Dec 13) : Following advice from the vendor, we upgraded to Elasticsearch 7.16.1 which disables JNDI lookups and includes a patched version of Log4j where the JndiLookup class has been removed.
  • (08:30 UTC — Dec 15) : Our hosting provider informed us that we are using a VMware component called vCenter (not Internet-facing) in our on-prem production environment that uses a vulnerable version of Log4j. They are updating our vCenter server appliance from 6.7 to 7.0 U3A.
  • (12:01 UTC — Dec 15) : A further vulnerability (CVE-2021-45046) was disclosed on 14th December after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This does not affect the Papirfly infrastructure as we have upgraded to Elasticsearch 7.16.1 which mitigates the Log4j vulnerability by removing the JndiLookup class from the classpath.
  • (10:00 UTC — Dec 20) : A further vulnerability (CVE-2021-45105) was disclosed on 17th December after it was found that Log4j 2.16 was vulnerable to another DoS vulnerability. This does not affect the Papirfly infrastructure as we have upgraded to Elasticsearch 7.16.1 which provide full protection against all known CVEs. To prevent false positive alerts in vulnerability scanners that look at only the version of the Log4j dependency, and in the interest of compliance, we are in the process of upgrading to Elasticsearch 7.16.2. This upgrades Apache Log4j2 to version 2.17.0 and retains the mitigations delivered in 7.16.1.

We continue to monitor the situation and follow recommendations from the authorities and our vendors.

Conclusion

We do not believe that attackers have managed to exploit the vulnerability. We have taken steps as recommended by the authorities and our vendors to further secure Papirfly services.

We are continuing to investigate our exposure to this vulnerability and will provide further updates if any new risk to our users or our products is identified.

We are ready to handle any incidents.

Further information

• Norwegian National Security Authority (NSM)
• Apache Foundation Log4j mitigation methods
• Elasticsearch B.V. Security Announcement