Security update for Apache Log4j2 vulnerabilities
Advisory ID: Druva/DVSA-2021-003
Issue date: 12-13-2021
Last updated: 01-13-2022
Advisory status: Final
Changelog
Date | Version | Description |
12-13-2021 | 1.0 | Initial public release |
12-14-2021 | 2.0 | Updates to product nomenclature and impact status |
12-21-2021 | 3.0 | Updates to impact status of the new Log4j CVEs |
01-13-2022 | 4.0 | Updates to impact status of the new Log4j CVEs |
Issue summary
The Druva Security and Engineering teams have analyzed the recently disclosed security vulnerabilities related to Apache Log4j2, which is a logging tool used in many Java-based applications. We have investigated and addressed any potential exposure within Druva products and backend services that might rely on the vulnerable version of Log4j2.
Please note that Druva does not natively use Log4j in the Druva Cloud. AWS and other third-party vendor-managed services that directly support our platform were patched by the respective vendors and the updates were promptly applied wherever applicable for CVE-2021-44228 and CVE-2021-45046. We will continue to monitor the situation and implement additional remediations as appropriate.
Product status
Here is the impact status of the Druva products:
Product |
Component |
Impact status of CVE-2021-44228 and CVE-2021-45046 |
Impact status of CVE-2021-45105 and CVE-2021-44832 |
Endpoint (Druva inSync) |
Agents (Windows, Linux, MAC, iOS, Android) |
Not impacted |
Not impacted |
AD Connector (Windows) |
Not impacted |
Not impacted |
|
CloudCache (Windows) |
Not impacted |
Not impacted |
|
e-Discovery Client (Windows, MAC, Linux) |
Not impacted |
Not impacted |
|
Direct Download Utility (Windows, MAC, Linux) |
Not impacted |
Not impacted |
|
SaaS Apps (Druva inSync) |
|
Not impacted |
Not impacted |
Salesforce (Versions 1.0 and 2.0) |
Remediated |
Not impacted |
|
Hybrid Workloads (Druva Phoenix) |
Proxies and Agents:
|
Not impacted |
Not impacted |
CloudCache (Windows, Linux) |
Not impacted |
Not impacted |
|
Snowball Edge (CloudCache) |
Not impacted |
Not impacted |
|
Native Workloads (Druva CloudRanger) |
Native Workloads |
Remediated |
Not impacted |
Druva Cloud Platform |
Cloud Platform |
Remediated |
Not impacted |
Druva is aware of the recently disclosed vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 that impact the log4j releases prior to 2.17.1 in non-default configurations. We have evaluated the CVEs and vulnerable configuration parameters (pre-condition to successful exploitation) and confirm that the Druva products and core services are not vulnerable. Additionally, third-party vendors used in Druva's core production service have affirmed that the new CVEs are not exploitable in their components/services.
Customer action required
Do note that no customer action is required.
Druva has implemented network-level monitoring and controls to prevent exploitation of these CVEs. We will continue to monitor any future updates to Log4j2 and its exposure to Druva Products and the Cloud Infrastructure. For additional details or assistance, please contact Druva Support.
Additional details
For additional details about this vulnerability, please review the following publications:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
- https://logging.apache.org/log4j/2.x/index.html
- https://aws.amazon.com/security/security-bulletins/AWS-2021-006/