Security Advisory - Log4J Zero-Day

Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, like the Enterprise File Fabric.

The vulnerability, assigned CVE-2021-44228, potentially enables remote code execution abilities, if unsanitized user input is passed to this component. Further information on the vulnerability can be found here:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

Apache Solr releases are not affected by the follow on CVE-2021-45046 and CVE-2021-45105 vulnerabilities, because the MDC patterns used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized and injected into log files with “%X”. Passing system property log4j2.formatMsgNoLookups=true (as described below) is suitable to mitigate.

Versions of the File Fabric before Enterprise File Fabric v2106 do not use an affected version of Log4J.

New installations of the v2106.00 (or greater) Enterprise File Fabric deployed before Dec. 14, 2021 utilizes an affected version of Log4J as part of its Apache Solr service. Because the Solr service does not receive unsanitized user input, it is not affected by this vulnerability.

As a precaution and consistent with security best practices, if the first deployed version of your File Fabric was v2106 or above and it was deployed prior to Dec. 14, 2021 then please run the following command:

yum update sme-containers-solr

This command will either update your File Fabric's Solr container or report that there is nothing to do. Either result indicates that no further action is necessary.

If you encounter any issues then please contact support@storagemadeeasy.com

If Storage Made Easy manages your File Fabric then you need not take any action. Storage Made Easy has already updated your Solr container if needed.