Security Update on Log4j 0-Day Vulnerability
Last updated December 14, 2021Treasure Data is aware of a security vulnerability affecting the open-source Apache “Log4j” utility (CVE-2021-44228) and is providing this update to customers with questions about this vulnerability. Treasure Data has completed mitigation efforts related to this vulnerability, and our ongoing investigations have uncovered no evidence of any impact to the confidentiality, integrity, or availability of data stored in the Treasure Data platform.
Background
A security vulnerability was disclosed on December 10, 2021 affecting Apache Log4j versions 2.0 to 2.14.1. The vulnerability consists of a 0-day exploit in the Java logging library log4j2 that can allow attackers to perform Remote Code Execution (RCE) by exploiting scenarios where a malicious payload can be written to the log.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
Treasure Data Security Enhancements
Immediately after becoming aware of the vulnerability, investigations were launched to understand the potential impact to:
- Treasure Data-owned source code and services
- Treasure Data client libraries
- Third-party services integrated into the Treasure Data platform
Our team has addressed the vulnerability in all Treasure Data code and services by upgrading all vulnerable instances of the Log4j utility across our environment to version 2.15 or later or by adding a “log4j2.formatMsgNoLookups=True” flag to the startup configuration. Treasure Data has also implemented additional network-based controls to provide another layer of visibility and protection against third-party services who have not completed their mitigation efforts. Treasure Data has also confirmed that client libraries were not impacted by this vulnerability.
Next Steps
Treasure Data will continue to monitor the situation and provide additional updates as necessary. No customer action is required at this time as a result of this vulnerability. Treasure Data will continue to work with third-party services to ensure there are no gaps in our protection against this vulnerability.