Home | Blog | Security update about Log4Shell

Security update about Log4Shell

security_update

By Julie Nolot

Engineering

What is Log4Shell?

You probably heard about Log4Shell (or CVE-2021-44228), the vulnerability which impacted log4j, a famous log library written in Java.

This critical vulnerability allows to remotely execute code on the servers of a company or to display the environment variables of an application.

What has been implemented at Clever Cloud?

At Clever Cloud, we worked all weekend to resolve this issue.

All our Elasticsearch add-ons were secured quickly, and many of our customers are secured by the most recent versions of JDK. Edit (13/12 16:41 UTC+1) : Even the most recent versions of Java are now vulnerable to RCE (Remote Code Execution) due to a bypass. The only viable solution is to patch and update log4j directly.

Please also note :

  • Java 8 (or later) users should upgrade to release 2.17.0.
  • Users requiring Java 7 should upgrade to release 2.12.2.
  • Otherwise, remove the JndiLookup class from the classpath in a post build hook (you have to execute the hook in the file where the log4j jar is): 
CC_POST_BUILD_HOOK=zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class "

For the others, we have initiated a thorough monitoring and analysis policy.

We are also in the process of updating the Java image with the following Log4j configuration property: Edit (14/12 14:04 UTC+1) : The Java image has successfully be updated and all Java applications have been redeployed with the following Log4j configuration property:

log4j2.formatMsgNoLookups=true

Please note that this flag only work on versions superior or equal to Log4j v2.10.0.

We upgraded the New Relic Java Agent to the 7.4.1 version and the apps on which the agent was deployed have been redeployed.

We also patched the Pulsar cluster.

How to mitigate the risks?

We urge you to update your dependency to Log4j v2.17.0.

Then, depending on the environments and add-ons you work with, here’s what you can do as well:

For Docker

If you are using Docker, you can do either :

  • Update to Log4j v2.17.0 (recommended)
  • Or setup the following Log4j (v2.10.0 minimum only) configuration property: log4j2.formatMsgNoLookups=true

For Jenkins

The Jenkins security team has confirmed that Log4j is not used in Jenkins core. However, it can be used in some Jenkins plugins. You can identify if Log4j is included in a plugin by using the following command in the Script Console:

org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

Support team

Of course, our support team remains available if you have any question regarding the current situation. You can reach them via the chat or send an e-mail at support@clever-cloud.com.

Tags

Blog

À lire également

Protect yourself: beware of job scams spoofing Clever Cloud’s brand
At Clever Cloud, we provide reliable, secure cloud hosting services for businesses and developers worldwide. Unfortunately, our reputation is being exploited by malicious actors engaging in fraudulent activities under the guise of our company name. We want to set the record straight and help protect you from falling victim to these scams.
Company

Create your own MCP client/server: as easy as 1-2-3 with Otoroshi
While Otoroshi with LLM already allows you to simplify the management of your various AI providers, access to models and integration with your teams, we have added simplified management of MCP clients and servers.
Company

Clever Cloud obtains HDS (Health Data Hosting) certification
Clever Cloud achieves HDS Certification, enabling it to host health data in France. Clever Cloud, Europe's leading provider of Platform as a Service cloud solutions, today announced that it has been awarded the Hébergeur de Données de Santé (HDS) certification, in its updated version effective May 16, 2024, for all 6 activities in the standard. This certification reinforces Clever Cloud's position as a trusted partner for companies and organizations in the healthcare sector.
Press