Cloudways Engineering and Security teams have analyzed the CVE-2021-44228 (Log4j2) vulnerability on the customer's stack. As per our findings, Elasticsearch is the only service provided to the customers using the Log4j library. Still, it is to be noted that ElasticSearch is not vulnerable to the RCE vulnerability but to information leak via DNS, which is lower in severity. We have a course of action defined below to address it.
Background: The Log4j 2 utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported making a system running Apache Log4j 2 version 2.14.1 or below vulnerable.
Course of action: As per their recommendations, we are starting to roll out patches for the impacted Elasticsearch versions. Some customers have old versions that would require additional actions; we will contact them individually. Moreover, we will continue monitoring this vulnerability as an ongoing event and provide updates through this page and our customer communications channels if needed.
Posted Dec 17, 2021 - 15:21 UTC
Investigating
We are aware of the recently disclosed vulnerability "Log4Shell" relating to the log4j Java package. Our Engineering team is currently assessing our infrastructure and stack for any risks and will take any action necessary to keep our servers and customers secure. We will keep this page updated with more news.