Skip to main content
All CollectionsKnowledge BaseSecurity Update
Security update for Apache Log4j2 vulnerabilities
Security update for Apache Log4j2 vulnerabilities
Updated over 11 months ago

Advisory ID:Druva/DVSA-2021-003

Issue date:12-13-2021

Last updated: 01-13-2022

Advisory status: Final

Changelog

Date

Version

Description

12-13-2021

1.0

Initial public release

12-14-2021

2.0

Updates to product nomenclature and impact status

12-21-2021

3.0

Updates to impact status of the new Log4j CVEs

01-13-2022

4.0

Updates to impact status of the new Log4j CVEs

Issue summary

The Druva Security and Engineering teams have analyzed the recently disclosed security vulnerabilities related to Apache Log4j2, which is a logging tool used in many Java-based applications. We have investigated and addressed any potential exposure within Druva products and backend services that might rely on the vulnerable version of Log4j2.

Please note that Druvadoes not natively use Log4j in the Druva Cloud. AWS and other third-party vendor-managed services that directly support our platform were patched by the respective vendors and the updates were promptly applied wherever applicable for CVE-2021-44228 and CVE-2021-45046. We will continue to monitor the situation and implement additional remediations as appropriate.

Product status

Here is the impact status of the Druva products:

Product

Component

Impact status of

CVE-2021-44228 and CVE-2021-45046

Impact status of

CVE-2021-45105 and CVE-2021-44832

Endpoint (Druva inSync)

Agents (Windows, Linux, MAC, iOS, Android)

Not impacted

Not impacted

AD Connector (Windows)

Not impacted

Not impacted

CloudCache (Windows)

Not impacted

Not impacted

e-Discovery Client (Windows, MAC, Linux)

Not impacted

Not impacted

Direct Download Utility (Windows, MAC, Linux)

Not impacted

Not impacted

SaaS Apps (Druva inSync)

  • M365 (Microsoft 365)

  • Google Workspace

  • Slack

Not impacted

Not impacted

Salesforce (Versions 1.0 and 2.0)

Remediated

Not impacted

Hybrid Workloads (Druva Phoenix)

Proxies and Agents:

  • VMware (Linux)

  • Hyper-V (Windows)

  • Hyper-V FLR (Linux)

  • Oracle Phoenix Backup Store (Windows, Linux)

  • Oracle Direct to Cloud (Linux)

  • NAS (Windows, Linux)

  • File Server (Windows, Linux)

  • MS SQL (Windows)

  • AWS Proxy (Linux)

Not impacted

Not impacted

CloudCache (Windows, Linux)

Not impacted

Not impacted

Snowball Edge (CloudCache)

Not impacted

Not impacted

Native Workloads (Druva CloudRanger)

Native Workloads

Remediated

Not impacted

Druva Cloud Platform

Cloud Platform

Remediated

Not impacted


❗ Important

Druvais aware of the recently disclosed vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 that impact the log4j releases prior to 2.17.1 in non-default configurations. We have evaluated the CVEsand vulnerable configuration parameters (pre-condition to successful exploitation) and confirm that the Druvaproducts and core services are not vulnerable. Additionally, third-party vendors used in Druva's core production service have affirmed that the new CVEsare not exploitable in their components/services.


Customer action required

Do note that no customer action is required.

Druva has implemented network-level monitoring and controls to prevent exploitation of these CVEs. We will continue to monitor any future updates to Log4j2 and its exposure to Druva Products and the Cloud Infrastructure. For additional details or assistance, please contact Druva Support.

Additional details

For additional details about this vulnerability, please review the following publications:

Did this answer your question?