Skip to main content

Cloudsmith Not Impacted By CVE-2021-44228 (log4shell / log4j)

Updates

  • 2021-12-22: Moved mitigation advice to the next blog article.
  • 2021-12-20: Suggested log4j 2.17.0 instead due to a DoS exploit in 2.16.0.
  • 2021-12-15: Suggested log4j 2.16.0 instead due to a DoS exploit in 2.15.0.

Background

The log4j library, part of the Apache Software Foundation (ASF), is a general and commonly utilized logging framework for Java. The framework allows developers to log data (incl. user-based) in their applications.

On 10th December 2021, a critical severity Remote Code Execution (RCE) exploit disclosure for log4j was published, as CVE-2021-44228, affecting versions below 2.15.0. The vulnerability has been coined as Log4Shell.

As reported to Apache by Alibaba on 24th November 2021, the exploit has been characterized as one of the most impactful last decade. Apache assigned the exploit a CVSS rating of 10, the highest available score.

Applications that utilize the log4j library, where bad/malicious actors can influence what is sent to logging, can be exploited with well-crafted strings that cause arbitrary (user-provided) code to be executed on the server.

Is Cloudsmith impacted?

In short: No. We confirm that CVE-2021-44228 does not impact the Cloudsmith service following a security audit. As per our last announcement regarding ISO27001 certification, we're highly committed to security and privacy, and we'll do everything we can to assist with ensuring that our customers, and your customers, remain secure too.

Should I be concerned?

Although Cloudsmith is not impacted, the exploit is exceptionally high impact and highly commonly used, so developers and users of affected software should take it utmost seriously.  Immediate action is required to identify and mitigate the software and environments impacted.

How can I mitigate the issue?

Updated: Please refer to our in-depth blog article on the issue, in which we provide the background, impact, identification and remediation (mitigation) advice for log4j / log4shell.

Next Steps

We'll be following this announcement with additional assistance and advice that we can provide to help users identify affected packages hosted and distributed from Cloudsmith. (released now, see above.)

If you have any questions about the exploit, need any additional help with identification or mitigation, or have any general concerns, please don't hesitate to get in touch with us.

The exploit is a bad one, so #hugops to everyone. We're here for you, so lean on us if you need to!

Learn More

Please visit the following resources to learn more about Log4Shell: