CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) was released on December 10, 2021 outlining a vulnerability in Apache Foundation project Log4j (https://logging.apache.org/log4j/2.x/index.html). This vulnerability can be used by a remote attacker to execute code without authentication. This vulnerability is also known as Log4Shell.
WitFoo Precinct 6.x utilizes log4j in the WitFoo Streamer & Apache Kafka Docker containers that manage the message processing pipeline. Other custom WitFoo containers (including Cassandra 4.01) do not utilize log4j.
As of 0940 Eastern Standard time on Saturday, December 11, 2021, WitFoo has completed the following mitigation steps:
- Streamer code utilizing log4j has been upgraded to use log4j version 2.15.0
- Kafka use of log4j libraries has been disabled
- Kafka remote access is prohibited by firewall rule
- Patched code & configuration has been pushed to all effected Docker images
- All customer deployments have been issued emergency/immediate jobs to apply the new code
- Precinct Cloud instances have been patched
- Checkmarx SAST and SCA source code checks have verified Precinct code is free of high & medium vulnerabilities including CVE-2021-44228
- Qualys VA scans have been run against Precinct using authenticated scans revealing no high or medium vulnerabilities including CVE-2021-44228
- All active Precinct deployments have been verified to have applied the new Docker containers & firewall rules
- WitFoo R&D has completed a preliminary search of diagnostic logs of production deployments of Precinct and have not found evidence of successful attack.
At this time, we believe no WitFoo customers were effected by the exploit outlined in CVE-2021-44228. The vulnerability is fully patched in all WitFoo software. No further action is required by WitFoo customers or partners at this time.
If you have any questions, please reach out to WitFoo Support.
UPDATE 1546 EST December 14, 2021:
- Streamer log4j version patched to 2.16.0.
- Actor IOC definitions published (see: https://www.witfoo.com/blog/log4j-logshell-ioc-search/)
UPDATE 0813 EST December 20, 2021:
- Streamer log4j version patched to 2.17.0.
- Actor IOC definitions expanded
