Plum Voice Not Vulnerable to Log4Shell (CVE-2021-44228 and CVE-2021-45046)
Last updated: 12/17/21
Summary
Plum Voice is aware of CVE-2021-44228, also referred to as "Log4Shell", a remote code execution (RCE) vulnerability in Apache Log4j (version 2). We are also aware of CVE-2021-45046, an additional vulnerability identified in Apache's emergency update to patch CVE-2021-44228.
After investigating, we believe that the Log4Shell vulnerabilities do not affect Plum Voice or any of our customer-facing, third-party production applications used to run our infrastructure.
Plum Voice has implemented all mitigation instructions provided by third party application vendors. We will continue to monitor the situation and whether any additional vendors provide guidance about their products.
Background info
Apache Log4j is a widely-used library for logging functionality in Java-based applications. On December 9th, 2021, a zero-day exploit for log4j (version 2) was discovered that allows remote code execution (RCE) by logging a certain string. Also referred to as Log4Shell, this vulnerability has since been published as CVE-2021-44228.
A second log4j vulnerability, published as CVE-2021-45046, was discovered on December 14th, 2021. An emergency update issued by Apache for CVE-2021-44228 was determined to be incomplete in certain non-default configurations, making it possible to execute denial-of-service (DOS) attacks and download data from affected servers.
Does Log4Shell affect:
Plum Voice?
No. We do not use Java internally, so any code written by Plum Voice is not vulnerable to CVE-2021-44228 or CVE-2021-45046.
Any of Plum Voice's 3rd-party infrastructure applications?
After investigation, we believe that CVE-2021-44228 and CVE-2021-45046 do not affect any of the customer-facing, third-party production applications used to run our infrastructure.
Plum Voice has implemented all mitigation instructions provided by third party application vendors. We will continue to monitor the situation and whether any additional vendors provide guidance about their products.
Recommendations
At this time, we believe that the Log4Shell vulnerabilities do not affect either Plum Voice or any of our customer-facing, third-party production applications used to run our infrastructure.
However, we still encourage customers to follow security best practices and continue to monitor this notice for any further updates.
For any customers who write their own code, we recommend that you review your self-hosted applications on your networks that you may be using to interact with Plum Voice systems. For more info on Log4Shell, see Related Information.
Related Information
Apache Log4j publication: https://logging.apache.org/log4j/2.x/security.html
CVE-2021-44228 publication: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
CVE-2021-45046 publication: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Revision history
12/17/21: UPDATE - Added description, response to CVE-2021-45046. Added link to NVD publication on CVE-2021-45046.
12/13/21: Initial posting.
Last updated