The Apache Software Foundation acknowledged a vulnerability on Friday, December 10th. Their Log4j java-based logging component contains a remote code execution flaw that is extremely easy to exploit and as a result achieved a CVSS score of 10, the highest possible.
SnapStream software does not utilize the log4j library, thus none of our enterprise servers, nor cloud services are impacted by this vulnerability. However, those of you with on-premise enterprise servers that are equipped with Broadcom MegaRAID controller cards could be subject to this vulnerability via third-party software. We are working with Broadcom to determine if any versions of MegaRAID Storage Manager installed on your system are affected.
What is Log4j?
CVE-2021-44228,or log4j exploded over the weekend, tagged with a rarely seen CVSS score of 10. This vulnerability is very widespread, easy to exploit, and allows for a complete takeover of systems or applications.
Log4j is a java-based logging package used by developers to log errors. Due to the popularity of the log4j library, many major publishers and manufacturers have been assessing their software to determine whether it has been impacted or not. Big names like Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and more useful applications that make use of the log4j library.
Who Is Affected?
Any application using the log4j library with a version from 2.0-beta9 to 2.14.1 is vulnerable. This means that any application using log4j 2 is vulnerable until updated to the latest version 2.15.0.