Log4j exploit : report on CDQ Cloud Platform

A vulnerability has recently been discovered and assigned the highest warning level by the German IT security department. CDQ is monitoring the situation, and we have taken appropriate actions to ensure the security of our Cloud Services.

 

What happened?

On Friday December 10, various security news channels reported a new vulnerability in the Apache Log4j library. The problem detected (CVE-2021-44228) allows for remote code execution. For more technical details please visit the official Apache Blog.

 

What has been done?

After publication of the exploit by security experts we have started analyzing the potential impact on CDQ Cloud Platform. Here are our preliminary findings:

● CDQ Codebase: Log4j is not used as default logging framework in our components. However, we identified 3 internal components which were affected – all have been successfully patched already by following the guidelines for mitigation. All of those were at no time exposed to the internet and therefore at no time a security risk.

● Third-party services: We have identified critical providers, who have been conducting their own investigations and have taken mitigation measures. No incident has been reported yet, and we will keep monitoring their updates.

● At this time, there is no indication that CDQ customer data has been affected.

 

What next?

We will continue our monitoring and analysis to ensure the safety of CDQ Cloud Platform, and will provide updates on the situation when appropriate.

Update 07.01.2022: We also analyzed related Log4j vulnerabilities CVE-2021-44832 and CVE-2021-44832 which have been identified by the community. We confirm that affected components run on Log4j Version >=2.17.1 and hence fully comply with the recommended mitigation actions.

 

Do you have any questions?

Martin OfnerPlease contact me!
Martin Ofner
✉︎ martin.ofner@cdq.com

Subscribe to our blog