CVE-2021-44228

On December 10, 2021, NIST published a Common Vulnerabilities and Exposure (CVE) alert identifying a new zero day in the Java logging library Apache Log4j which can result in full server takeover. This critical alert - CVE-2021-44228 - applies to Java applications that use this library.

You may read more in these online resources:

• MITRE CVE Database
• NIST CVE Database
• Apache Log4j security vulnerabilities webpage
• Apache Log4j 2.15.0 release announcement

Stamus Networks does not use this library in any of its proprietary software systems. However it is used by several components of the ELK stack (Elasticsearch, Logstash and Kibana) which are embedded in our Stamus ND, Stamus NDR, and Stamus Probe Management systems.

The developers of the ELK stack, Elastic, have determined that Logstash and Elasticsearch do indeed contain this vulnerability, and they have identified a fix. 

Our research team has reviewed the available literature, evaluated our software architecture, and consulted with our software partners, including Elastic. 

We have concluded that there is very little risk of an exploit in the components we know to be vulnerable, Logstash and Elasticsearch. However, out of an abundance of caution we developed a patch for Stamus ND/NDR that fixes the vulnerability in the currently embedded version of Logstash (6.8.10) and Elasticsearch (6.8.10).

And we have notified our customers of its availability.

If you have any questions please feel free to contact us: support@stamus-networks.com