As was widely reported yesterday, a critical unknown vulnerability was found in log4j, an open-source logging library used by apps and services across the internet. If exploited, the vulnerability would allow remote code execution on vulnerable servers.
When this zero-day exploit was announced, we began a deep dive in to reviewing the impact that this would have on us and you and made an announcement on Twitter that we were aware of this vulnerability.
With clients that have reached so far to get information regarding this, there appears to be some confusion over what is impacted. This vulnerability does not affect the Apache Web Server, which is commonly used in our services, but impacts Apache Log4j. The Apache Software Foundation, started in 1999, supports a number of open-source software projects which include both the Apache Web Server and Log4j. Log4j is a Java based logging package which is seldomly used with the services we provide.
As a result, the impact surface of this vulnerability was rather narrow for services we manage as Log4j is not utilized as part of our normal deployment.
- Managed Cloud Servers using Elasticsearch or Apache Solr were possibly vulnerable and mitigation measures were put in place as soon as they became available.
We have conducted a thorough review of our Elastic Hosting, Multi Account Reseller Hosting, Managed WordPress Hosting, and Email Hosting were unaffected by this vulnerability. Other than the noted Managed Cloud Server above utilizing Elasticsearch or Apache Solr, were as well not impacted.
Where this vulnerability could have impacts is with our Self Managed Cloud Servers. As we are not managing these servers, nor have access to the server itself, we are unable to conduct a review of the impacts this would have with the environments that have been set up.
If you have one of our Self Managed Cloud Servers, it is strongly recommended to conduct your own independent assessment of your set up and take necessary steps and actions to mitigate this vulnerability. We have reached out to some of these clients where we could see from the outside that this vulnerability may be impacting them.
As more and more information come to light on this vulnerability, we will be updating this blog post with any other pertinent and relevant information that you, our clients, should be aware of as well as any further actions we have taken to mitigate this vulnerability.