HCSEC-2021-32 - HashiCorp Response to Apache Log4j 2 Security Issue (CVE-2021-44228)

jfinnigan · December 13, 2021, 8:00pm

Bulletin ID: HCSEC-2021-31
Affected Products / Versions: None known at this time.
Publication Date: December 13, 2021

Summary
HashiCorp products and services have no known exposure to the Apache Log4j 2 security issue (CVE-2021-44228) at this time. This bulletin will be updated if this situation changes.

Background
A high severity vulnerability impacting multiple versions of Apache Log4j 2, CVE-2021-44228, was disclosed publicly on December 9, 2021.

Details
CVE-2021-44228 relates to a vulnerability in Log4j 2, a Java logging framework. Generally, HashiCorp products and services are built using the Go language and ecosystem, and do not utilize Java or specifically Log4j 2. Our investigation continues, but HashiCorp products and services have no known direct exposure to this vulnerability at this point in time.

More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products & cloud services from a range of third parties across our business. We continue to systematically evaluate these for exposure and take remediation action as appropriate.

Remediation
None necessary at this time. This bulletin will be updated if this situation changes.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.

jfinnigan · December 17, 2021, 12:04am

Status Update (December 16, 2021)

Initial response and investigation activities associated with this security issue have been completed.

There was no exposure identified for HashiCorp products / services, including HashiCorp open source software, HashiCorp enterprise software, and HashiCorp cloud services. As noted in the initial bulletin, this is primarily due to HashiCorp’s use of the Go language and ecosystem.

Given Log4j’s broad usage across the broader technology ecosystem, we expect CVE-2021-44228 and related vulnerabilities to remain an issue for some time. We will continue to monitor for exposure of HashiCorp’s products / services and third party components / systems and take appropriate remediation actions.

jfinnigan · December 22, 2021, 5:45pm

Status Update (December 22, 2021)

HashiCorp is aware of the additional Log4j-related CVEs that have been published. Statements above regarding our response to the initial CVE-2021-44228 also apply to CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104.

Topic		Replies	Views
HCSEC-2022-27 - HashiCorp Response to OpenSSL Security Announcement Regarding November 1 Release Security	2	5301	November 1, 2022
HCSEC-2024-06 - HashiCorp Response to XZ Utils Supply Chain Attack (CVE-2024-3094) Security	0	3596	April 2, 2024
HCSEC-2023-32 - Vault, Consul, and Boundary Affected By HTTP/2 “Rapid Reset” Denial of Service Vulnerability (CVE-2023-44487) Security security-consul , security-vault , security-boundary	0	13128	November 2, 2023
HCSEC-2022-13 - Multiple Vulnerabilities In go-getter Library Security	0	11129	May 24, 2022
HCSEC-2021-12 - Codecov Security Event and HashiCorp GPG Key Exposure Security security-nomad , security-consul , security-vault , security-terraform	2	66440	May 4, 2021

HCSEC-2021-32 - HashiCorp Response to Apache Log4j 2 Security Issue (CVE-2021-44228)

Related topics