You may have recently seen in the news information relating to a potentially very serious security vulnerability that will likely affect a broad range of cloud-based SaaS offerings and services. The exploit was disclosed on December 9th, and could potentially allow an attacker to execute code on a remote server. The vulnerability was found within a popular Java-based logging package known as Log4j. Given the widespread use of Java in cloud-based systems, and the widespread use of Log4j as a logging framework, the vulnerability is considered one of the most serious in recent times.
You can read more about the exploit and its potential impacts here: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/
Spica Status
As soon as Spica became aware of the vulnerability, we took steps to protect our platform and most importantly our customer data.
To be clear, we do not believe that Spica’s GemEx platform or the Luna app were vulnerable to this exploit at any point in time.
Nevertheless, we took steps to protect ourselves and conduct an investigation:
- On the 10th December Spica’s hosting partner, Amazon Web Services (AWS), released an update to their Web Application Firewall (WAF) which is used to safeguard all of Spica’s cloud resources. The update added new rules to the firewall to prevent requests that contain the commonly used Log4j headers from reaching GemEx instances, and Spica’s WAF infrastructure was updated automatically.
- Spica has conducted a review of all cloud application source code, verifying that none of the affected Log4j libraries are being used in any of our products.
- We have passed on information relating to the vulnerability to our IOT vendors and have asked them to confirm whether they are affected.
To reiterate, Spica is not directly affected by the CVE-2021-44228 exploit and we will continue to gather information from our suppliers to determine whether they have been affected. We strongly encourage customers who manage environments containing Log4j to check to see if they are affected and take the necessary action.
