Overview
On Friday December 10, 2021 we observed the announcement of the unknown zero day vulnerability CVE-2021-44228 for the commonly used logging library for Java-based software called log4j.
Our teams have conducted a full impact assessment since the vulnerability was initially documented. You will find details for each product line and service below.
SightMap
SightMap is hosted on Amazon Web Services (AWS) and relies upon several AWS services. We have reviewed our AWS environment and the AWS Security Bulletin. As of December 17, 2021, all affected AWS services relied upon have been patched.
Our operations team is in the process of upgrading an internal Elasticsearch/Logstash/Kibana (ELK) instance to version 7.16.2, which was released on December 19, 2021. The logstash server is not directly exposed to the public internet and we have reviewed the captured log data and have not identified any exploit attempts. We will continue to review the logs and will update here once the upgrade has been completed.
According to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476,
Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage. This is due to Elasticsearch’s usage of the Java Security Manager.
Our instance runs openjdk 11.0.7 2020-04-14 LTS, therefore the instance mitigates the vulnerablity. However, out of an abundance of caution, we are upgrading to the latest patch.
https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2
No other components of SightMap require Java and thus do not use the log4j library and therefore have not been impacted by the vulnerability.
Asset Intelligence
Asset Intelligence is hosted on Amazon Web Services (AWS) and relies upon several AWS services. We have reviewed our AWS environment and the AWS Security Bulletin. As of December 17, 2021, all affected AWS services relied upon have been patched.
No components of Asset Intelligence require Java and thus do not use the log4j library and therefore have not been impacted by the vulnerability.
TouchTour
TouchTour servers are hosted on either Google Cloud Platform (GCP) or Media Temple. We have reviewed the GCP Security Advisory and identified that none of the GCP services relied upon are impacted by the vulnerability.
No components of TouchTour require Java and thus do not use the log4j library and therefore have not been impacted by the vulnerability.
We have reviewed the machine images used to prepare the TouchTour panels and have identified that the Java runtime is not installed and no installed software is impacted by the vulnerability.
Website Hosting & Creative Services
Websites are hosted on either Kinsta or Media Temple. No components of the websites we build & deploy require Java and thus do not use the log4j library and therefore have not been impacted by the vulnerability.