Apache Log4j vulnerability update
Incident Report for UpCloud
Monitoring
As you may have already read, the recently discovered Apache Log4j zero-day vulnerabilities (CVE-2021-44228 + CVE-2021-45046) in Log4j software is currently being widely exploited. The vulnerability allows remote code execution on affected servers. Remote code execution can be used for instance to leak the server’s data or use the server for other illegal activities including launching Denial-of-Service attacks.

What has UpCloud done to mitigate this?

UpCloud has patched all the affected software used to run our own infrastructure. This protects against data breaches from UpCloud’s own services and managed services such as Object Storage and Managed Databases. UpCloud’s infrastructure has not been compromised and we are continuously monitoring the situation.

However, after deploying Cloud Servers, we’d like to remind that users are responsible for the security updates of the servers’ operating systems and all installed applications. These security updates should be applied immediately.

Are my Cloud Servers vulnerable?

Any Cloud Server running an older version of Log4j is vulnerable, even if it’s not directly serving requests from the public Internet. Background services are similarly vulnerable as they might process logging of external requests. Log4j is a very common part of Java based applications, so you might not have installed Log4j knowingly but can still be vulnerable.

There are multiple ways to check if your servers are vulnerable. Some of these techniques are described and checker software are available from at least:
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/

A continually updating list of affected software is available at:
https://github.com/NCSC-NL/log4shell/tree/main/software

Keeping up-to-date with the software packages and security updates of your Cloud Server’s operating system vendor is essential. We recommend following the security update guides provided by the operating system and application vendors.
Posted Dec 15, 2021 - 14:36 UTC
This incident affects: General.