Log4j2 Vulnerability Impact Assessment

Grant · December 21, 2021, 2:12pm

Several well-known and critical vulnerabilities have recently been discovered in the popular Apache Log4j2 library. Below is Tulip’s security incident description, which will be updated as necessary. A downloadable copy is also attached:

SI-1.pdf (21.9 KB)

Log4j2 Security Incident

Description

A critical vulnerability (CVE-2021-44228) was announced on December 9th, affecting the Log4j2 library which allows for remote code execution, up to full control of the affected system. A second Log4j2 vulnerability (CVE-2021-45046) was reported shortly afterwards (on December 15th), as a result of an incomplete fix to the first CVE. The second vulnerability allows for the same remote code execution under certain Log4j2 configurations. A third Log4js vulnerability, which exploits a denial of service under certain conditions, was announced on December 20th.

Tulip Business Impact

The Log4j2 vulnerabilities have the potential to affect one of Tulip’s third-party components: Elasticsearch. Based on Tulip research and guidance from the Elasticsearch vendor (Elastic), we conclude there is no impact to Tulip data and systems.

Investigation and Remediation Summary

Elastic has published a blog post about this Log4j2 CVEs. Elasticsearch’s use of the Java Security Manager prevents any exploit of the reported Log4j2 vulnerabilities.

Out of an abundance of caution, Tulip has deployed an update recommended by AWS Opensearch, which hosts some of Tulip’s Elasticsearch instances. Tulip has also deployed the Elasticsearch configuration change recommended in the above blog post in its self-hosted Elasticsearch environments. Again, Tulip’s investigation did not find any impact from the Log4j2 vulnerabilities, and these changes are simply following the advice of Elastic.

Tulip will continue to take remediation steps as recommended by third-party software as new Log4j2 vulnerabilities may be found.

Customer Business Impact

Public cloud: No impact.

Tulip Customer Cloud: Refer to communication from Tulip on implementing the Elasticsearch configuration change.

Topic		Replies	Views
Release 245 - January 2023 Announcements	1	1703	January 31, 2023
Event log to record Tulip error messages Product Suggestions	8	680	September 27, 2023
Library Release 30 - November 2021 Announcements library	1	390	November 17, 2021
Query regarding SYSadmin access Support, Troubleshooting, & Help	4	141	June 13, 2023
Release 220 - January 2022 Announcements	2	411	January 20, 2022