Out of an abundance of caution, we still recommend the upgrade of the Agent to 6.32.4 or 7.32.4. CVE-2021-44228 and CVE-2021-44228: Our analysis concluded that exploiting Log4j through JMX via a vulnerable Agent version already requires full control of the JMX endpoint. This monitoring is not turned on by default and customers have to explicitly enable it by enabling an integration that uses JMX, or by creating a custom JMX check. CVE-2021-44228 and CVE-2021-44228: Our JMX monitoring client - used by some of our Agent integrations to connect to your internal Java applications through JMX - includes Log4j. Released versions 7.32.4 and 6.32.4 which completely remove Log4j from the Datadog Agent and JMXfetch.
As a result, it does not rely on any configuration that an attacker can control to execute the exploit. The implementation has a hardcoded PatternLayout and does not use any context lookup. Our analysis of CVE-2021-45105 indicates that the JMXfetch client is not affected. We have included a summary of any potential impact of this exploit on each component and the remediation steps we have taken. Please find below a list of relevant components, such as Agents or libraries, that you as a Datadog customer may be running in your own environments. In addition, we have been continuously monitoring and have not detected any successful attacks against our infrastructure. Our information security and engineering teams have updated any services that use Log4j, whether directly or indirectly through third-party components.
If you are a customer and want more information, please file a support ticket or contact your Datadog support or success team Summary of impact for customers Please visit this page for the most up-to-date information. Our security research team has published a more in-depth analysis of the Log4j vulnerability and provided ways Datadog security products can help detect any attacks of this vulnerability. We’d like to inform you of our findings and what steps we have taken to remediate any affected services. Immediately following the announcement, our security and engineering teams began working to evaluate all of our products and internal services for any potential impact. In addition, the Apache Foundation has disclosed two other vulnerabilities ( CVE-2021-45046 and CVE-2021-45105) that could allow a denial of service attack against the impacted system. If exploited, this vulnerability can give an attacker full control of any impacted system. MITRE has labeled the vulnerability as CVE-2021-44228 and assigned it the highest CVSS score (10.0). Update on our Response to the Log4j Vulnerability December 12, 2021Īs you may be aware, the Apache Foundation recently announced that Log4j, a popular Java logging library, is vulnerable to remote code execution.
0 kommentar(er)
