|V. 1.0 - Initial Publication addressing CVE-2021-44228||December 13th, 2021|
|V. 1.1 - Addresses CVE-2021-45046||December 15th, 2021|
|V 1.2 – Timeline clarification||December 16th, 2021|
|V 1.3 – Addresses CVE-2021-45105||December 20th, 2021|
|v 1.4 – Addresses CVE-2021-44832||December 28th, 2021|
While the Allocadia Security team chose to communicate the updates in a light-hearted way, the Log4j vulnerabilities are extremely serious and so are we. Allocadia Security recognizes and thanks the commitment and diligence of our peers at the Apache Foundation as well as all individual contributors to the Log4j project (most, if not all, are volunteers).
Story: “Log4j vulnerabilities, the gift-that-keeps-giving"
On December 9, 2021, a critical vulnerability in Log4j was announced. This timeline documents the response activities of Allocadia Security as it mitigated and remediated issues arising from this disclosure. The following is presented in reverse timeline order:
Chapter IV :
On Tuesday December 28th, a 4th Log4j vulnerability (CVE-2021-44832) was announced which led to the release of the v2.17.1 update to address this issue. Based on Allocadia Security’s assessment, the Subscription Services are not vulnerable to this new flaw. Allocadia Engineering has included the updated 2.17.1 library in this week’s standard deployment process.
Chapter III :
On Friday December 17th, a 3rd Log4j vulnerability (CVE-2021-45105) was announced which led to the release of v2.17.0 addressing this new CVE; based on Allocadia’s assessment, its current exposure to this vulnerability is Low. Allocadia Engineering plans to deploy the updated version of Log4j in this week’s standard deployment process (starting Tue. Dec. 21st).
Chapter II :
On December 14, 2021, a related vulnerability in the newly updated Log4j libraries (CVE-2021-45046) was disclosed; Allocadia Security expanded the response effort to contain and eliminate the risk. All impacted systems were upgraded to v2.16.0 as of Wednesday, December 15th, 1:00pm PST.
Chapter I :
On Thursday December 9, 2021, a severe remote code execution vulnerability (CVE-2021-44228) was first revealed in Apache's Log4J. On December 9th, 2021, the Allocadia Security team executed the security event response procedure, and upon analysis determined that a subset of Allocadia’s Subscription Services was impacted. Initial mitigation was completed as of 11:45pm PST on Thursday December 9th, 2021, with all impacted software components identified and marked for upgrade. Allocadia Security teams completed their emergency patch procedure to upgrade Log4j to v2.15.0 as of 10:50pm PST on Friday December 10th, 2021.
Since the initial response procedure was initiated on December 9th, forensic review of logs has not revealed any evidence of exploitation or compromise of systems or Customer Data.
On Monday December 13, 2021, Allocadia completed an initial review of material suppliers involved in the delivery and monitoring of the Subscription Services and external dependencies. As of the date of this notice, no material suppliers’ services utilized by Allocadia in the delivery of the Subscription Services are known to be impacted by the Log4j vulnerability. The Allocadia security team continues to actively monitor its material suppliers and is taking prompt remedial action where it finds its material suppliers out of compliance with their security commitments.
Allocadia is monitoring all developments to ensure the safety of Customer Data across all related systems and data flows. Please forward any inquiries related to this situation or any other software vulnerabilities to email@example.com.