SideDrawer's Response on the recent Log4j vulnerability
Updated as of December 20, 2021
On December 9th, 2021, SideDrawer's engineering team was made aware of a very serious vulnerability in a popular Java-based logging package named "Log4j." This vulnerability, categorized as a Remote Code Execution (RCE), allows an attacker to execute arbitrary code on a remote server, and can risk resulting in complete system takeover.
Due to the widespread use of Java and the dependency package "Log4j", this is probably one of the most serious vulnerabilities on the Internet since both "Heartbleed" and "ShellShock."
On December 10, 2021, it was reported the first usage of the exploit, identifying massive scanning from multiple hosts for servers using vulnerable versions of Apache Log4j. Receiving a rating of 10 on the NIST CVSS scale for assessing vulnerability and risk, Apache has already released Log4j 2.15.0 to address the maximum severity rating.
The following actions were taken:
- A ticket into IT Security was opened with the highest priority.
- The team started monitoring the situation and learning about the vulnerability to determine how it works and how it may manifest in the SideDrawer environment.
- Cloudflare announced that they deployed three new Web Application Firewall (WAF) rules to help mitigate any exploit attempts, and the SideDrawer IT Security & Infrastructure team ensured those rules were applied on our environment.
- It was determined that those WAF rules have been configured with a default action of BLOCK
- The team analized the code repository in order to identify if the vulnerability is present within our stack.
- Out of all our APIs and over 450 endpoints, we identified only 1 API function that was identified as vulnerable. This function related to a third party integration as it uses their library which has a dependency with the version number affected (log4j2.14.1).
- This functionality was taken offline until the patches were implemented 2 days later, with no service disruption to our users.
Our conclusions are as follows:
- Our team reviewed all components of our system, and took the necessary steps to address the issue where applicable with no impact to our service availability.
- There was no unauthorized use, exposure, or attempt to exploit in our system.
- The risk impact for the SideDrawer platform is low, however, as the situation continues to evolve, SideDrawer's team will continue to monitor the situation and any new derivations.
Wondering about our Service Providers? See our complete list of sub processors here. Where available, we have included a link to the respective sub processer's response pages:
Other recommended websites and resources to monitor:
- US Cybersecurity & Infrastructure Security Agency
- Apache's Log4j Update page
- Cloudflare's Log4j response page
If you have any questions or concerns, please contact us at firstname.lastname@example.org.