Wasabi statement on Log4j (CVE-2021-44228) security vulnerability
Dec 13, 2021: Wasabi is aware of the vulnerability disclosed by Log4j (CVE-2021-44228) and has completed verification that this issue does not affect any Wasabi products or services.
A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on the project’s GitHub on December 9, 2021, and designated as CVE-2021-44228 with the highest severity rating of 10. The flaw has been dubbed Log4Shell.
Log4j 2 is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks.
From CVE-2021-44228 detail: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” The impact from this vulnerability is likely to be very widespread. There are already reports that threat actors are actively engaged in mass Internet scanning to identify servers vulnerable to exploitation.
Wasabi is aware of the vulnerability and has completed verification that this issue does not affect any Wasabi products or services.
This includes our service itself as well as Wasabi Explorer, Wasabi Account Control Manager, Wasabi Cloud NAS, and Wasabi File Acceleration.
For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Wasabi), Apache, which looks after the Log4j product, has published a security advisory about the issue. Recommended steps you can take include:
- Upgrade to Apache Log4j 2.15.0. If you’re using Log4j, any 2.x version from 2.14.1 earlier is apparently vulnerable by default.
- If you are still using Log4j 1.x, don’t, because it’s completely unsupported. Note that Log4j 1.x has a Log4Shell-style bug of its own, dubbed CVE-2021-4104, so that the lack of support for this version means that this bug will probably never be patched. You need to switch to the latest version (2.15.0) if you plan to stay with Log4j.
- Block JNDI from making requests to untrusted servers. If you can’t update, but you’re using Log4j 2.10.0 or later, you can set the configuration value log4j2.formatMsgNoLookups to true, which prevents LDAP and similar queries from going out in the first place.
If you have any other questions regarding the Log4j issue and Wasabi, please reach out to email@example.com for further assistance.