An open-source library, Log4J, used widely in many products worldwide has been reported (2021-12-09) to have a critical vulnerability, and is now published as CVE-2021-44228.
This vulnerability allows Remote Code Execution and is easy enough to trigger that the CVSS score is 10.
This vulnerability has been fixed in log4j-2.15.0 and greater.
Arize teams followed security protocol on 2021-12-10 09:03 and here is the conclusion of our Vulnerability Analysis report.
Although the vulnerability is not directly exposed, to ensure future exploits are not possible in any case, we did do an update to use log4j-2.16.0 for impacted internal components.
No action is required on your end, we are running our latest environment.
Please reach out to Arize to follow the procedure to update your environment.
- A EGRESS filtering firewall, would prevent the exploit payload to be loaded.
- A Web-Application Firewall can catch exploit payload before it reaches the server.
- Close monitoring of server process using an Intrusion Detection System would also detect the abnormal behavior of the application