HCSEC-2021-32 - HashiCorp Response to Apache Log4j 2 Security Issue (CVE-2021-44228)

Bulletin ID: HCSEC-2021-31
Affected Products / Versions: None known at this time.
Publication Date: December 13, 2021

HashiCorp products and services have no known exposure to the Apache Log4j 2 security issue (CVE-2021-44228) at this time. This bulletin will be updated if this situation changes.

A high severity vulnerability impacting multiple versions of Apache Log4j 2, CVE-2021-44228, was disclosed publicly on December 9, 2021.

CVE-2021-44228 relates to a vulnerability in Log4j 2, a Java logging framework. Generally, HashiCorp products and services are built using the Go language and ecosystem, and do not utilize Java or specifically Log4j 2. Our investigation continues, but HashiCorp products and services have no known direct exposure to this vulnerability at this point in time.

More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products & cloud services from a range of third parties across our business. We continue to systematically evaluate these for exposure and take remediation action as appropriate.

None necessary at this time. This bulletin will be updated if this situation changes.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.

Status Update (December 16, 2021)

Initial response and investigation activities associated with this security issue have been completed.

There was no exposure identified for HashiCorp products / services, including HashiCorp open source software, HashiCorp enterprise software, and HashiCorp cloud services. As noted in the initial bulletin, this is primarily due to HashiCorp’s use of the Go language and ecosystem.

Given Log4j’s broad usage across the broader technology ecosystem, we expect CVE-2021-44228 and related vulnerabilities to remain an issue for some time. We will continue to monitor for exposure of HashiCorp’s products / services and third party components / systems and take appropriate remediation actions.

Status Update (December 22, 2021)

HashiCorp is aware of the additional Log4j-related CVEs that have been published. Statements above regarding our response to the initial CVE-2021-44228 also apply to CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104.