Scalefusion Security Advisory for Apache Log4J2 Vulnerability

Issue Description

Scalefusion Team is aware of the critical security vulnerability that was discovered in the Apache Log4J2 library i.e CVE-2021-44228. This vulnerability if exploited, allows an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Though a patch was released for CVE-2021-44228, however the patch was deemed incomplete, and a new vulnerability is reported CVE-2021-45046.

Here we have captured the action taken and the current status.

Handling by Scalefusion

Current Status:

• CVE-2021-44228: All Systems & Modules Patched to handle. We identified all the modules and systems that consume the libraries that were vulnerable to the attack and necessary action was taken immediately. As it stands none of our software uses the version of the library that is prone to exploits.
• CVE-2021-45046: All Systems & Modules Patched to handle. We identified all the modules and systems that consume the libraries that were vulnerable to the attack and necessary action was taken immediately. As it stands none of our software uses the version of the library that is prone to exploits.

Impact of the Vulnerability on Scalefusion Cloud Infrastructure

• CVE-2021-44228: None. We have investigated the potential impacts on our cloud infrastructure and have found no evidence that this vulnerability was exploited before we had patched all our systems.
• CVE-2021-45046: None. We have investigated the potential impacts on our cloud infrastructure and have found no evidence that this vulnerability was exploited before we had patched all our systems.

What should Customers Do?

No Action Required. There is no action required from our customers who are using Scalefusion Online or Cloud based services.

If you have any questions or comments, please reach out to support@scalefusion.com