CVE UPDATE: Log4j Vulnerability (CVE-2021-44228)

Last updated December 13, 2021 5:00pm PST

On 10 December 2021, NUWAVE became aware of the industry wide Log4j vulnerability (CVE-2021-44228) which may permit unauthenticated remote code execution (RCE) on Java applications running a vulnerable version of Apache’s Log4j 2 [1]. NUWAVE has investigated this issue across its key products and services, including the iPilot platform, and has determined that our key products and services do not employ the vulnerable Log4j component.

Some ancillary supporting infrastructure were found to potentially use the Log4j component. As a precautionary measure, the NUWAVE engineering and security teams have examined the logs and confirmed that no tampering or exploitation was performed on supporting infrastructure as the Log4j service was running on a protected network unreachable from the outside. These identified ancillary Log4j services were blocked as a further mitigating effort until patching is applied from vendors and the change management process occurs.

For all questions and concerns, please reach out to the NUWAVE Security Team (NST) at  security@nuwave.devwww-west.na.nuwave.com or your account manager. Security and privacy remain one of the highest priorities at NUWAVE, and we will continue to monitor this situation closely.

 

References

Easterly, J. (2021, December 11). Statement from CISA Director Easterly on Log4j Vulnerability. Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

Nist.gov. (2021, December 10). CVE-2021-44228 Detail. National Vulnerability Database. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Footnotes

[1] The Log4j vulnerability (CVE-2021-44228) permits unauthenticated remote code execution (RCE) on any Java applications running a vulnerable version of Apache’s Log4j 2. It poses a severe risk to those using this version, because it can permit an unauthorized access or complete control over systems when exploited correctly.