In December 2021, a vulnerability in log4j, a commonly used logging tool, was reported and widely publicised due to its potential for exploitation of technical infrastructure components all around the globe. For more information, please refer to:
https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
https://logging.apache.org/log4j/2.x/security.html
Once this vulnerability became known around December 10th, mediafellows started assessing its impact on the MediaStore system in order to provide swift remediation where needed.
All in all, no critical system components were found to be affected, as log4j is not widely deployed within MediaStore’s infrastructure. However, two services are running log4j and thus required attention:
- Elastic Search
- Purpose: Provide indices of searchable metadata (e.g. users, products, assets) in order to provide searching and filtering functionality in the administrative and client-facing MediaStore sites.
- log4j vulnerability impact: None. Our version of Elastic Search uses log4j 1.x, however only log4j 2.x is affected. (Any future upgrade of Elastic Search will include a patched log4j version.)
- Logstash
- Purpose: Provide automated logging of system activities, including basic non-critical metadata on system processes and involved objects. (Does not provide access to full metadata records or any stored files/assets.)
- log4j vulnerability impact: Used an affected log4j version. An upgrade to Logstash version 7.16.1, using patched log4j 2.15.0, was performed on December 13th.
It’s worth noting that both services are not public-facing parts of MediaStore’s infrastructure and are thus far less prone to direct user input, nonetheless we patched Logstash as soon as possible in order to avoid any potential risk.