Devo Security Advisory for Apache Log4j

Devo Advisory ID: Devo-2021-fz91vh

Severity: Critical

Published: 2021-12-17 13:00 GMT

Updated: –

CVSSv3 Score: 10

CVE-2021-44228

CVE-2021-45046

Context: A third-party vulnerability was discovered on December 9, 2021 in the Apache Log4j Library whereby a critical remote code execution may be possible. All systems using the Log4j library version from 2.0-beta 9 to 2.15.0 are considered vulnerable. 

Summary

Investigation

At this time, all the Devo products in the different cloud environments have been investigated for potential log4j vulnerabilities using both manual and automated checks. 

Impacted Cloud Environments

The following Devo cloud environments have been upgraded to Log4j 2.16.0 as of December 17, 2021:

  • us.devo.com
  • eu.devo.com
  • ca.devo.com

Impacted Cloud Products

The following Devo products have been upgraded to Log4j 2.16.0 as of December 17, 2021:

  • Devo Platform up to 7.7.2 and fixed in 7.8.0
  • Devo Flow 1.4.0 fixed in 1.4.1

Impacted Cloud Services

The following Devo cloud services have been upgraded to Log4j 2.16.0 as of December 17, 2021:

  • Correlation – log4j component has been upgraded from 2.11.2 to 2.16
  • Query Engine – log4j component has been upgraded from 2.11.2 to 2.16
  • Search UI – log4j component has been upgraded from 2.11.2 to 2.16
  • Data Persistence – log4j component has been upgraded from 2.11.2 to 2.16
  • Web UI – log4j component has been upgraded from 2.11.2 to 2.16
  • ActiveBoards – log4j component has been upgraded from 2.11.2 to 2.16
  • Security Operations – log4j  8 of 9 components have been upgraded from 2.11.2 to 2.16, one subservice has been mitigated.

Confirmed Non-Impacted Cloud Products

As part of our investigation, we’ve determined the following products are not impacted by CVE-2021-44228:

  • Devo Relay
  • Devo Service Operations
  • Devo Endpoint Agent & Manager
  • Devo Stats
  • Devo Collection Server

Other Information

As our investigation continues we will continue to update this advisory.

Additionally, to assist your independent investigations to potentially uncover targeted abuse of the log4j vulnerability or exploitation across your enterprise, we recommend that you read the blog post written by the Devo Security Research Team: 

https://www.devo.com/detection-of-log4shell-vulnerability-and-exploitation-with-devo/

 

 

Ready to release the full potential of your security data?

Tour the Product Request a Demo