+91 96558 14047 (India)
+65 8237 9397 (Singapore)
+1 315 532 7622 (USA)
+27 11 886 1707 (South Africa)
+61 8 4634 1736 (Australia)
+44 (0) 208 123 3459 (UK)
Email: [email protected]
On December 9, 2021, a major vulnerability in Log4j, a Java-based logging library of Apache Software Foundation, was revealed. This vulnerability is now hailed as one of the biggest cybersecurity weaknesses as it has put millions of devices at risk. Also termed as Log4Shell or CVE-2021-44228, this vulnerability has impacted a wide range of platforms, such as Apple, Amazon, Twitter, Minecraft, and many others.
Neutrinos, encompassing its Low-Code Platform, extensions, and dependencies, is safe from this vulnerability as Neutrinos does not use the log4j version 2 core library. The platform is not impacted as it uses Winston for logging. Neutrinos experts have also evaluated everything on the platform after the vulnerability disclosure, and have confirmed that there is no impact on any of Neutrinos Solutions. This evaluation excludes any external components that the platform integrates with, such as Jenkins or Kubernetes.
The Neutrinos Platform is secure from the Apache Log4j Vulnerability.
There are many questions about this vulnerability and its impact on cybersecurity. Please find the answers to most of these important questions below.
1. What is Log4j?
It is a popular open-source logging library developed by Apache used by applications worldwide, such as Amazon, Minecraft, and Apple iCloud, among many others. This library is also used by several government entities. A logging library allows the developers to view all activities of an application.
2. What is this vulnerability or flaw in Log4j called?
The vulnerability is called Log4Shell. Its CVE ID is CVE-2021-44228. The CVE number is a unique number given to each discovered vulnerability across the world.
3. Is Log4j susceptible to the Log4shell vulnerability?
Yes. The Log4Shell vulnerability affects all versions of Log4j, starting with 2.0-beta9 and ending with 2.14.1. It’s a critical flaw that necessitates immediate attention.
4. How does the Log4Shell vulnerability impact cybersecurity?
This vulnerability allows hackers or attackers to gain uncontrolled access to Java-based web servers and trigger remote code execution (RCE) attacks on computer systems. Cybersecurity researchers believe that all applications or platforms or devices that use Log4j are a potential target due to this vulnerability.
5. Is the Log4Shell vulnerability a serious concern?
Yes. The cybersecurity firm LunaSec states that this library is “ubiquitous” across applications, and the exploit grants complete server control and is simple to execute. According to LunaSec, it will most likely affect Apple’s iCloud and the online gaming provider Steam. CheckPoint, another cybersecurity firm believes this issue “may be exploited either over HTTP or HTTPS (the encrypted version of browsing). Meanwhile, the Cyber Emergency Response Team (CERT) of New Zealand has issued a statement claiming that the vulnerability may give an attacker complete control of the compromised server and that it is being “actively exploited in the wild.” This vulnerability can be exploited by cybercriminals for nefarious activities.
6. Is there a fix to this vulnerability?
Apache has rolled out a new update, Log4j 2.16.0, to resolve this issue. The firm is recommending all platforms and apps using Log4j to upgrade to this version to fix the vulnerability. This upgrade disables the JNDI functionality by default and removes support for the message lookup pattern.
7. What services or apps are impacted by Log4Shell?
LunaSec states that services such as Minecraft, gaming service Steam, and Apple iCloud are among the many impacted. GitHub states that Amazon, Apple, Twitter, Tencent, Baidu, Tesla, Google, WebEx, LinkedIn, CloudFlare, NetEase, and many more companies are impacted by this vulnerability. Check Point states that the open-source Apache Log4j library has had over 400,000 downloads from its GitHub repository.
8. If I am using the Neutrinos Platform, are my apps safe from this vulnerability?
Definitely Yes! As the Neutrinos Platform uses Winston for logging and not Log4j, all solutions created on the Neutrinos Platform are not impacted by the Log4Shell vulnerability.
If you have more questions on this vulnerability or want more information on how secure the Neutrinos Platform is, please contact us. We would be happy to answer your queries, and also show you how your apps will be protected from this vulnerability on the Neutrinos Platform.