Skip to main content

How can we help you?

Druva Documentation

Security update for Apache Log4j2 vulnerabilities

Advisory ID: Druva/DVSA-2021-003

Issue date: 12-13-2021

Last updated: 01-13-2022

Advisory status: Final

Changelog

Date Version Description
12-13-2021 1.0 Initial public release
12-14-2021 2.0 Updates to product nomenclature and impact status
12-21-2021 3.0 Updates to impact status of the new Log4j CVEs
01-13-2022 4.0 Updates to impact status of the new Log4j CVEs

Issue summary

The Druva Security and Engineering teams have analyzed the recently disclosed security vulnerabilities related to Apache Log4j2, which is a logging tool used in many Java-based applications. We have investigated and addressed any potential exposure within Druva products and backend services that might rely on the vulnerable version of Log4j2.

Please note that Druva does not natively use Log4j in the Druva Cloud. AWS and other third-party vendor-managed services that directly support our platform were patched by the respective vendors and the updates were promptly applied wherever applicable for CVE-2021-44228 and CVE-2021-45046. We will continue to monitor the situation and implement additional remediations as appropriate.

Product status

Here is the impact status of the Druva products:

Product

Component

Impact status of

CVE-2021-44228 and CVE-2021-45046

Impact status of

CVE-2021-45105 and  CVE-2021-44832 

Endpoint (Druva inSync)

Agents (Windows, Linux, MAC, iOS, Android)

Not impacted

Not impacted

AD Connector (Windows)

Not impacted

Not impacted

CloudCache (Windows)

Not impacted

Not impacted

e-Discovery Client (Windows, MAC, Linux)

Not impacted

Not impacted

Direct Download Utility (Windows, MAC, Linux)

Not impacted

Not impacted

SaaS Apps (Druva inSync)

  • M365 (Microsoft 365)
  • Google Workspace
  • Slack

Not impacted

Not impacted

Salesforce (Versions 1.0 and 2.0)

Remediated

Not impacted

Hybrid Workloads (Druva Phoenix)

Proxies and Agents:

  • VMware (Linux)
  • Hyper-V (Windows)
  • Hyper-V FLR (Linux)
  • Oracle Phoenix Backup Store (Windows, Linux)
  • Oracle Direct to Cloud (Linux)
  • NAS (Windows, Linux)
  • File Server (Windows, Linux)
  • MS SQL (Windows)
  • AWS Proxy (Linux)

Not impacted

Not impacted

CloudCache (Windows, Linux)

Not impacted

Not impacted

Snowball Edge (CloudCache)

Not impacted

Not impacted

Native Workloads (Druva CloudRanger)

Native Workloads

Remediated

Not impacted

Druva Cloud Platform

Cloud Platform

Remediated

Not impacted

Druva is aware of the recently disclosed vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 that impact the log4j releases prior to 2.17.1 in non-default configurations. We have evaluated the CVEs and vulnerable configuration parameters (pre-condition to successful exploitation) and confirm that the Druva products and core services are not vulnerable. Additionally, third-party vendors used in Druva's core production service have affirmed that the new CVEs are not exploitable in their components/services.

Customer action required

Do note that no customer action is required. 

Druva has implemented network-level monitoring and controls to prevent exploitation of these CVEs. We will continue to monitor any future updates to Log4j2 and its exposure to Druva Products and the Cloud Infrastructure. For additional details or assistance, please contact Druva Support.