Contents x
      Wasabi statement on Log4j (CVE-2021-44228) security vulnerability
      • 09 Sep 2024
      • 1 Minute to read
      • Print
      • PDF
      Contents

      Wasabi statement on Log4j (CVE-2021-44228) security vulnerability

      • Updated on 09 Sep 2024
      • 1 Minute to read
      • Print
      • PDF
      Article summary

      Dec 13, 2021: Wasabi is aware of the vulnerability disclosed by Log4j (CVE-2021-44228) and has completed verification that this issue does not affect any Wasabi products or services. 

      A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on the project’s GitHub on December 9, 2021, and designated as CVE-2021-44228 with the highest severity rating of 10. The flaw has been dubbed Log4Shell.

      Log4j 2 is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks. 

      From CVE-2021-44228 detail: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” The impact from this vulnerability is likely to be very widespread. There are already reports that threat actors are actively engaged in mass Internet scanning to identify servers vulnerable to exploitation. 

      Wasabi is aware of the vulnerability and has completed verification that this issue does not affect any Wasabi products or services. 

      This includes our service itself as well as Wasabi Explorer, Wasabi Account Control Manager, Wasabi Cloud NAS, and Wasabi File Acceleration. 

      For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Wasabi), Apache, which looks after the Log4j product, has published a security advisory about the issue. Recommended steps you can take include:

      • Upgrade to Apache Log4j 2.15.0. If you’re using Log4j, any 2.x version from 2.14.1 earlier is apparently vulnerable by default.

      • If you are still using Log4j 1.x, don’t, because it’s completely unsupported. Note that Log4j 1.x has a Log4Shell-style bug of its own, dubbed CVE-2021-4104, so that the lack of support for this version means that this bug will probably never be patched. You need to switch to the latest version (2.15.0) if you plan to stay with Log4j.

      • Block JNDI from making requests to untrusted servers. If you can’t update, but you’re using Log4j 2.10.0 or later, you can set the configuration value log4j2.formatMsgNoLookups to true, which prevents LDAP and similar queries from going out in the first place.

      If you have any other questions regarding the Log4j issue and Wasabi, please reach out to support@wasabi.com for further assistance.

      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.