Early in the morning on Friday December 10th we became aware of a very serious security vulnerability found in a Java library we use in the Ocean platform called log4j2. (In this case severity is determined by how easy the vulnerability is to exploit as well as log4j2's widespread use.) Technical information on the vulnerability can be found here: https://www.lunasec.io/docs/blog/log4j-zero-day/
We wanted to update you as to how we are responding to this threat:
- First and foremost it was determined after initial investigation that Ocean and Cloud Connect were not vulnerable to the most serious attack vectors identified in the research - our patch processes keep our server software up to date and these patches prevented exploitation of the worst attack variant.
- On Friday night we released new patched versions of Ocean and Cloud Connect that included an upgrade to log4j 2.15, removing the remaining known attack vectors from the vulnerability in the Ocean platform.
- Working with 3rd party vendors, we identified some additional tools and libraries in our server monitoring infrastructure that could also be indirectly vulnerable. These 3rd party tools were patched Monday night.
- On Tuesday, further industry research led to the discovery of some remaining vulnerabilities in log4j version 2.15. Log4j 2.16 has been released to address these, which will be patched into Ocean platform Tuesday night. This eliminates the remaining known vulnerabilities.
- On Thursday December 17th a 3rd party vendor we rely on notified us a patch was available for their tool. We applied the patch last night. (Note: There is no added exposure to the Ocean platform with respect to the log4j vulnerability from this tool.)
- On Saturday December 18th we became aware of another update to the log4j library to mitigate an newly detected vulnerability. We upgraded to this version and applied the patch Sunday, Dec 19.
As of Dec 20 all vulnerable versions of log4j used in the Ocean platform (either directly or indirectly) have been fully patched. No action is required on your part.
After careful review of system logs, we find no evidence that the vulnerability was successfully used against the Ocean platform. While the known risks to the Ocean platform have been fully mitigated, we will continue to monitor the situation as our partners and software providers continue their investigation and mitigation efforts. This article will be updated if additional information becomes available.
Please contact firstname.lastname@example.org if you have any questions or concerns.