Last updated 20 December 2021, 16:00 (Central European Time)
Pexip is actively monitoring Log4j vulnerabilities across all products and services. The first [1] issue was reported on Friday, 10 December 2021. A second [2] and a third [3] related issues were reported on Tuesday, 14 December 2021 and Sunday, 19 December 2021 respectively.
Short summary: Pexip Infinity and Private Cloud are unaffected. Pexip Service's production dependencies are patched, and no exploit has been detected.
Pexip self-hosted and Pexip Private Cloud deployments based on the Pexip Infinity solution (including Management and Conferencing nodes, Microsoft Teams Connector and Reverse Proxy components) and the associated client apps, do not use the Log4j library. Therefore customers hosting this solution in their environments are not affected and do not need to take any action.
Whilst the Pexip cloud service does not employ the Log4j component directly as part of its core service, it does use it for supporting infrastructure. Pexip took immediate action to reach containment by disabling this service until updates could be tested and installed. Similarly, Pexip took immediate action on the second and third reported issues, and all relevant supporting infrastructure has been updated. Attempts were made to exploit the Log4j vulnerability on supporting infrastructure, yet forensic evidence indicates no attempts were successful.
If you have any questions or concerns about this matter, please contact support@pexip.com or your account manager. Security and reliability continue to be top priorities for Pexip as they are priorities for our partners and customers.
This page will continue to be updated with any further information around this case.
References
Easterly, J. (2021, December 11). Statement from CISA Director Easterly on Log4j Vulnerability. Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
Nist.gov. (2021, December 10). CVE-2021-44228 Detail. National Vulnerability Database. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Nist.gov. (2021, December 14). CVE-2021-45046 Detail. National Vulnerability Database.
Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Nist.gov. (2021, December 19). CVE-2021-45105 Detail. National Vulnerability Database.
Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Footnotes
[1] The Log4j vulnerability (CVE-2021-44228) permits unauthenticated remote code execution (RCE) on any Java applications running a vulnerable version of Apache’s Log4j 2. It poses a severe risk to those using this version, because it can permit unauthorized access or complete control over systems when exploited correctly.
[2] The Log4j limited mitigation issue (CVE-2021-45046) invalidates previous mitigations in some cases. These vulnerabilities are fixed in Log4j 2.16.0.
[3] The Log4j DDoS issue (CVE-2021-45105) showed a vulnerability to uncontrolled recursion lookups that may cause denial of service. It is mitigated in Log4j 2.17.0.