- Dear INAP Customer,
By now, you’ve likely come across a plethora of news articles and blogs illustrating the severity of the Log4Shell vulnerability. INAP has been closely monitoring the situation since its initial discovery, maintaining continuous engagement with our security, development, and engineering teams. Here’s what you need to know:
What is Log4Shell?
Log4Shell is a software vulnerability first published publicly on December 10th,2021 with alleged claims of exploits “in the wild” as early as the beginning of the month. Specifically, this flaw can be found in Log4j, which is a java library for logging error messages in applications. This is an open-source library developed by the Apache Software Foundation and is a key component to Java logging framework. This vulnerability maintains a CVSS score of 10, which is the highest possible severity. If exploited successfully, a remote attacker can execute arbitrary code which may expose sensitive data, cause damage to data and/or gain control over the server. For more details, please see https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Why do I care about Log4j?
While you may have been unaware of the existence of this library and may not use it for your own application, it’s important to understand that many commercial applications do utilize the library and may be vulnerable. As an example, several management tools and appliances provided by network manufacturers are known to be exposed. Several popular software applications (or components of) such as some Atlassian products, Elasticsearch, Splunk, HPE, Dell and Solarwinds have all published advisories, with the majority supplying software patches/updates to remediate. Some components of VMware are also known to be affected, with workarounds published and patches in development. This highlights only a small few of the many applications that could be at risk. The National Cyber Security Centrum of the Netherlands has posted a running list on github, which can be viewed at https://github.com/NCSC-NL/log4shell/tree/main/software
. As always, if you are unsure whether your application is at risk, please engage with your software vendor directly.
Is INAP vulnerable?
INAP’s engineering and development teams, in conjunction with the Office of the CISO, have conducted an extensive audit and mitigation effort across all platforms. While some systems are known to utilize the log4j library, we have validated that none of these components are exposed or at risk to compromise. Additional workarounds have been implemented to eliminate traces of risk where necessary, and engineers continue to work closely with applicable software vendors to apply permanent patches immediately as they become available. To further supplement the effort, INAP has amended its internal traffic monitoring tools to detect and alert on any attempts of an attack and react if necessary. None of the network components in use by INAP infrastructure or used to provide our services (routers, switches, firewalls, load-balancers) use Log4j and therefore are not open to attack.
Are you vulnerable?
In the spirit of transparency, it’s important to note that INAP customers utilizing Virtual Private Cloud and Dedicated Private Cloud products are on a VMware platform. One component particularly in use utilizes Log4j called vCenter Server. However, in all cases this “virtual appliance” is not exposed to the public in any fashion and protected through network restriction policies. Accordingly, your environment is not presently at risk even though Log4j is utilized in vCenter Server. There is no patch available from VMware yet, but once released, the fixes will be applied immediately.
For all customers, we highly encourage you to check with your various software vendors and apply updates where necessary and as swiftly as possible. Our support staff is always available to answer any questions or give guidance on the right direction for contact.
Happy Holidays from INAP and stay safe!
Dec 23, 07:30 CST