Concerning the Log4J vulnerability (CVE-2021-44228) that was discovered on December 9th.
SaaS Customers
TermWeb SaaS customers are protected from this vulnerability. At no point has any customer or personal data been at risk for access through this vulnerability.
On-premise Customers
TermWeb 3 services are not running services with the Log4J vulnerability.
TermWeb 4 services are only at risk of being vulnerable if you’re running an outdated version of Elasticsearch. We recommend immediately updating Elasticsearch to version 7.16.3. Alternatively, as an immediate mitigation action, you can apply the JVM solution below before upgrading to 7.16.3 at a later point. Supported versions of Elasticsearch (6.8.9+, 7.8+) used with recent versions of the JDK (JDK9+) are not susceptible to either remote code execution or information leakage.
JVM solution
For Elasticsearch 5.6.11+, 6.4+, and 7.0+, the simplest remediation is to set the JVM option 3.0k -Dlog4j2.formatMsgNoLookups=true and restart each node of the cluster.
This provides full protection against the RCE and information leak attacks.
More info concerning Elasticsearch: Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE-2021-44228 – ESA-2021-31
Best regards,
The Interverbum Tech staff
