Log4j Due Diligence
By Julien Kernec’h
Chief Technology Officer - Plato
San Francisco, December 16, 2021
Plato became aware of the CVE-2021-44228 vulnerability (also known as Log4Shell or Log4Jam) on the day of its disclosure (December 10th). We immediately launched investigations to find out if the infrastructures or the Plato services could be impacted.
We had good reasons to believe that this would not be the case: This flaw exploits a vulnerability in a Java library (Log4j v2) edited and maintained under the aegis of the Apache foundation, that, to be triggered, has to process specially crafted data. Plato’s infrastructure uses of Log4j library is not processing raw data that can be manipulated by a user, which is a required condition for exploiting the vulnerability. With Plato services, every data that can be manipulated by a user is sanitized before being processed.
Yet, some third-party components used in conjunction with Plato services may use resources written in Java and we have therefore carried out a complete assessment of the vulnerability of Plato services to the exploitation of this flaw. We also performed intrusion tests to effectively assess the exploitability of this vulnerability through the use of our services, as well as an analysis of possible traces of attacks trying to exploit this flaw.
The evaluation revealed that none of the components implemented as part of the services offered by Plato to its customers are vulnerable to this security vulnerability.
Examination of recent traces revealed that only a few isolated malicious requests attempting to exploit this flaw were received by the Plato infrastructure (we eliminated from our analysis the requests resulting from our own penetration tests). The first of such requests is usually intended to assess the vulnerability of the server that processes said request. Not receiving further and more elaborated requests of this type is a very good indicator that the attacker did not rate the server as vulnerable.
On December 13, 2021, we updated all the occurrences of the Log4j library we use in order to rely only on the non-vulnerable version, even if the way we used before did not allow any actual exploitability. We also implemented additional security and monitoring measures to detect attempts to exploit this vulnerability and future similar ones.
In conclusion Plato wishes to reassure its customers and users: this potentially very dangerous flaw has no impact on the services offered by Plato, which thus proves, once again, its excellence and its involvement in terms of security and data protection.
Chief Technology Officer - Plato
San Francisco, December 16, 2021
Plato became aware of the CVE-2021-44228 vulnerability (also known as Log4Shell or Log4Jam) on the day of its disclosure (December 10th). We immediately launched investigations to find out if the infrastructures or the Plato services could be impacted.
We had good reasons to believe that this would not be the case: This flaw exploits a vulnerability in a Java library (Log4j v2) edited and maintained under the aegis of the Apache foundation, that, to be triggered, has to process specially crafted data. Plato’s infrastructure uses of Log4j library is not processing raw data that can be manipulated by a user, which is a required condition for exploiting the vulnerability. With Plato services, every data that can be manipulated by a user is sanitized before being processed.
Yet, some third-party components used in conjunction with Plato services may use resources written in Java and we have therefore carried out a complete assessment of the vulnerability of Plato services to the exploitation of this flaw. We also performed intrusion tests to effectively assess the exploitability of this vulnerability through the use of our services, as well as an analysis of possible traces of attacks trying to exploit this flaw.
The evaluation revealed that none of the components implemented as part of the services offered by Plato to its customers are vulnerable to this security vulnerability.
Examination of recent traces revealed that only a few isolated malicious requests attempting to exploit this flaw were received by the Plato infrastructure (we eliminated from our analysis the requests resulting from our own penetration tests). The first of such requests is usually intended to assess the vulnerability of the server that processes said request. Not receiving further and more elaborated requests of this type is a very good indicator that the attacker did not rate the server as vulnerable.
On December 13, 2021, we updated all the occurrences of the Log4j library we use in order to rely only on the non-vulnerable version, even if the way we used before did not allow any actual exploitability. We also implemented additional security and monitoring measures to detect attempts to exploit this vulnerability and future similar ones.
In conclusion Plato wishes to reassure its customers and users: this potentially very dangerous flaw has no impact on the services offered by Plato, which thus proves, once again, its excellence and its involvement in terms of security and data protection.
Updated on: 12/16/2021