The Studentnet team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell.
Log4j is a Java-based logging utility found in a wide number of software products.
The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value on an affected endpoint.
As soon as Studentnet learned of this vulnerability, we promptly evaluated all cloud-hosted systems and customer premise agents to determine what might be impacted and methodically set about remediating any exposure.
This knowledge base article will be updated over the coming days as more information becomes available.
Affected Products
Studentnet took prompt action to patch and mitigate the potential impact of this vulnerability on the Cloudwork Identity service.
All Cloudwork systems have been evaluated and are NOT affected by this vulnerability. This includes:
- Cloudwork - SmartID
- Cloudwork - EasyID
- Cloudwork - YourID
- Cloudwork - IdentiLab
Other mitigations
We recommend customers check whether any other (non-Studentnet) software they are running may be impacted and check in with applicable vendors for available patches.
Customers unable to patch affected software should also consider the mitigation strategies outlined below.
- Deploy a WAF with rules specific to the exploitation observed around this vulnerability.
- In log4j versions from 2.10 to 2.14.1:
- Set the system property log4j2.formatMsgNoLookups to true, or
- Remove the JndiLookup class from the classpath. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Next Steps
The Studentnet team will continue to provide updates as necessary in this document.