Last Friday a vulnerability was found in a widely used software library called ‘log4j’. This vulnerability is referred to as “Log4Shell”, or “CVE-2021-44228”. A vulnerability which can be exploited externally, leading to Remote Code Execution, is extremely dangerous, as this allows an attacker to take complete control of your (Magento/Shopware) application.
To start with some good news for our customers: there’s no need to worry, as we’ve already taken care of everything.
Teamwork makes the dream work
Because it’s such a widely used library, our engineers, our security team, and the security team of team.blue got together and made an inventory of all software that could be using this library. The biggest concern for customers is probably ElasticSearch, because this is used by many Magento (2.4+) sites. But we also had to take a look through our own infrastructure (Logstash, Jenkins, etc), which might be vulnerable.
- ElasticSearch on Hypernodes itself is not exploitable. Thanks to the use of the Java Security Manager, and a recent Java version, there is no RCE possible here. We did enable a mitigating setting to prevent an information leak, as advised by ElasticSearch itself. We plan to upgrade ElasticSearch at a later point, as we try not to roll out major updates during the holiday season.
- Our own internal Infrastructuur was analyzed completely on Friday, and we installed updates or mitigations where possible. Unfortunately, not all systems had these available. Because of that, we’ve taken certain parts of our systems offline for the weekend to prevent exploitation. This may have been noticeable as certain features on the Service/Control Panel were not available.
We actively continue to monitor the situation
We monitored the situation over the weekend, and today we’ll continue dealing with it. We plan on replacing the temporary mitigating settings, which we placed on the Hypernodes on Friday, with a permanent solution. We also received news over the weekend that patches are now available for the parts of our system that we had to place offline, so we’ll be testing and deploying these, to bring all parts of our infrastructure back online.
In the coming days we’re keeping a close eye on the development of new exploits, payload encoding, and mitigation bypass, and we plan to, where needed, update our WAF with new signatures as they are found.
Update December 14th, 2021
On Monday, December 13th, 2021 we installed mitigating patches on our internal infrastructure, and all services are fully operational again. We are rolling out an update to our WAF today.
Hi! My name is Dion, Account Manager at Hypernode
Want to know more about Hypernode's Managed E-commerce Hosting? Schedule your online meeting.
schedule one-on-one meeting +31 (0) 648362102
