Echo360 has evaluated our systems and has been in touch with vendors we utilize regarding CVE-2021-44228 which impacts the Apache Log4j2 utility.
We have identified no impact to our services at this time.
CVE-2021-44228 is a security vulnerability found in the Apache Log4j2 utility. This utility is used for log message generation in several popular Java applications. This vulnerability could allow for remote code execution in compromised systems.
Full details of the vulnerability are available here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Current Echo360 Status
Any Echo360 system that was potentially using log4j2 was remediated immediately upon our notification of the vulnerability (9-10 Dec 2021), through updates to the
log4j2.formatMsgNoLookups system property and/or by updating log4j2 to version 2.15.0.
Update for 2.16 and 2.17
The 2.16 and 2.17 versions of the log4j2 vulnerability affect non-default PatternLayout configurations that utilize a context lookup. We have reviewed our environment and have ensured Echo360 does not use this functionality. Echo360 is not impacted by either the 2.16 or 2.17 updates of this vulnerability.
Response Actions Taken
- Required actions were determined by our Site Reliability Engineering team as soon as the vulnerability was announced.
- We reviewed our systems and we are certain that no Echo360 services have been compromised by this threat.
- We have reviewed our systems and determined we are not impacted by either the 2.16 or 2.17 updates to the vulnerability as we do not utilize the impacted features in any way.
- We continue to actively work with our partner vendors, in particular, PingIdentity, our SSO service provider, given the nature of the vulnerability. At this time, we have found no service to be/have been impacted.