Advisory ID:Druva/DVSA-2021-003
Issue date:12-13-2021
Last updated: 01-13-2022
Advisory status: Final
Changelog
Date | Version | Description |
12-13-2021 | 1.0 | Initial public release |
12-14-2021 | 2.0 | Updates to product nomenclature and impact status |
12-21-2021 | 3.0 | Updates to impact status of the new Log4j CVEs |
01-13-2022 | 4.0 | Updates to impact status of the new Log4j CVEs |
Issue summary
The Druva Security and Engineering teams have analyzed the recently disclosed security vulnerabilities related to Apache Log4j2, which is a logging tool used in many Java-based applications. We have investigated and addressed any potential exposure within Druva products and backend services that might rely on the vulnerable version of Log4j2.
Please note that Druvadoes not natively use Log4j in the Druva Cloud. AWS and other third-party vendor-managed services that directly support our platform were patched by the respective vendors and the updates were promptly applied wherever applicable for CVE-2021-44228 and CVE-2021-45046. We will continue to monitor the situation and implement additional remediations as appropriate.
Product status
Here is the impact status of the Druva products:
Product | Component | Impact status of
CVE-2021-44228 and CVE-2021-45046 | Impact status of
CVE-2021-45105 and CVE-2021-44832 |
Endpoint (Druva inSync) | Agents (Windows, Linux, MAC, iOS, Android) | Not impacted | Not impacted |
AD Connector (Windows) | Not impacted | Not impacted | |
CloudCache (Windows) | Not impacted | Not impacted | |
e-Discovery Client (Windows, MAC, Linux) | Not impacted | Not impacted | |
Direct Download Utility (Windows, MAC, Linux) | Not impacted | Not impacted | |
SaaS Apps (Druva inSync) |
| Not impacted | Not impacted |
Salesforce (Versions 1.0 and 2.0) | Remediated | Not impacted | |
Hybrid Workloads (Druva Phoenix) | Proxies and Agents:
| Not impacted | Not impacted |
CloudCache (Windows, Linux) | Not impacted | Not impacted | |
Snowball Edge (CloudCache) | Not impacted | Not impacted | |
Native Workloads (Druva CloudRanger) | Native Workloads | Remediated | Not impacted |
Druva Cloud Platform | Cloud Platform | Remediated | Not impacted |
❗ Important
Druvais aware of the recently disclosed vulnerabilities identified by CVE-2021-45105 and CVE-2021-44832 that impact the log4j releases prior to 2.17.1 in non-default configurations. We have evaluated the CVEsand vulnerable configuration parameters (pre-condition to successful exploitation) and confirm that the Druvaproducts and core services are not vulnerable. Additionally, third-party vendors used in Druva's core production service have affirmed that the new CVEsare not exploitable in their components/services.
Customer action required
Do note that no customer action is required.
Druva has implemented network-level monitoring and controls to prevent exploitation of these CVEs. We will continue to monitor any future updates to Log4j2 and its exposure to Druva Products and the Cloud Infrastructure. For additional details or assistance, please contact Druva Support.
Additional details
For additional details about this vulnerability, please review the following publications: