Security Update on Second Log4j Vulnerability

Treasure Data is aware of an additional security vulnerability affecting the open-source Apache “Log4j” utility (CVE-2021-45046) and is providing this update to customers with questions about this vulnerability. Unlike the earlier critical severity vulnerability associated with Log4j (CVE-2021-44228), this second vulnerability is rated as low severity.

As opposed to the previous critical vulnerability, which could result in a compromise of impacted systems and subsequent breach of data, the impact of this new vulnerability on affected systems is simply a degradation of system performance. Although that lowers the severity of and risks associated with the vulnerability, Treasure Data has already initiated immediate remediation efforts.

The investigation launched by Treasure Data after the disclosure of the original vulnerability is still ongoing, and we have found no evidence of any impact to the confidentiality, integrity, or availability of data stored in the Treasure Data platform.

Treasure Data will continue to monitor the situation and provide additional updates as necessary. No customer action is required at this time as a result of this vulnerability. Treasure Data will continue to work with third-party services to ensure there are no gaps in our protection against this vulnerability across the entire Treasure Data ecosystem.

December 17th Update: Treasure Data is aware of the recent upgrade of CVE-2021-45046 to “critical” severity. As mentioned in the original version of this post, Treasure Data initiated immediate remediation efforts for this issue as soon as it was discovered on December 14th. As of today, we can report that the majority of those efforts have been completed. Additionally, our ongoing investigation and monitoring efforts continue to show no evidence of any impact to our systems as a result of this issue.

December 20th Update: Treasure Data is aware of a third security vulnerability affecting the open-source Apache “Log4j” utility (CVE-2021-45105) and is providing this update to customers with questions about this vulnerability. Unlike the earlier critical severity vulnerabilities associated with Log4j, which could result in a compromise of impacted systems and subsequent breach of data, the impact of this new vulnerability on affected systems is a degradation of system performance or “denial-of-service.”Treasure Data will continue to monitor the situation and provide additional updates as necessary. Treasure Data is committed to continually enhancing the stability and security of our platform with every new release. Enhancements which will fully mitigate CVE-2021-45105 are currently targeted for inclusion in a future Treasure Data update as part of that process.