Log4shell

Working with the ops team to identify and mitigate risk from log4j2 currently along with many others around the world. Log4j is pretty fundamental to how java applications do logging these days that you’re either using it directly if you’re running a jvm or are using something else that depends on it so you’re exposed anyways.

We are definitely users of log4j but thankfully not the feature that is the source of risk here. Anyways I’ll be keeping a post here with notes about what we’re doing as part of our response.

Our general strategy so far:

Identify risk in our applications
Patch systems as necessary
Widen the net to investigate how 3rd party tools and software are responding to the bug

We’re going to post a support bulletin letting customers know we’re on it and to provide a status update. Here are some examples of companies starting to do that:

Wave accounting email to customers

Wave log4shell email

AWS email to elasticsearch users

Hello,

AWS is aware of the recently disclosed security issue affecting the open source Apache “Log4j2” utility. This utility is used by Amazon OpenSearch Service. We have released a service software update R20211203-P2 that contains the updated “Log4j2” utility that addresses the issue for your domain(s) in the CA-CENTRAL-1 Region. We strongly recommend that you apply this software update immediately to mitigate this issue for your OpenSearch domains.

You can update the service software using the Amazon OpenSearch Service console [1]. If you have already updated your domain(s), or you see that the current Service Software Release in the Domain overview page shows ‘R20211203-P2’, no further action is required.

If you have any questions or concerns, please contact AWS Support [2].

[1] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/service-software.html [2] https://aws.amazon.com/support

Sincerely, Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

Applitools email to customers

On Friday 10th December, Apache announced a critical vulnerability within the LOG4J logging library for Java (also now known as “Log4Shell”, CVE-2021-44228).

Security has always been a top priority for Applitools, and our engineers are fully aware of the recent RCE vulnerability in log4j, affecting numerous applications. Our security specialists immediately conducted a complete impact assessment, and validated that throughout our environment, log4j is not used or depended on by any services we use.

Therefore, Applitools services including the Eyes and Ultrafast Grid services are unaffected. Customers with on-premise installations of Applitools are also unaffected, and won’t need to upgrade or patch any components to address this particular vulnerability. Our security specialists are confident that Applitools products can continue to be safely used without exposure to the Apache log4j RCE vulnerability.

Our engineers and security team continue to monitor emerging security vulnerabilities and threats and are ready for rapid response should any new vulnerabilities emerge in the future.

Thanks and Happy testing

The Applitools Team

Links