brainCloud and log4shell (CVE-2021-44228)
As you are likely aware, a serious vulnerability has been discovered in Apache Log4J 2, a very popular logging library for Java services. This attack is informally referred to as log4shell, presumably due to the way it allows an attacker to make privileged JNDI calls via the logging of simple input data from an API or web form.
We are pleased to report that brainCloud’s Production Services are unaffected by this vulnerability – and that we have further patched our services to eliminate any future risk of attack.
More specifically:
- brainCloud’s API and Portal services do not use Log4J 2 – and are thus not affected by log4shell.
- Some secondary Datastream and RTT services do use Log4J 2 – but these services do not log raw input data in our Production configuration – and thus, once again – are not affected by log4shell.
- To eliminate any future risk of exposure, we have now patched all services that use Log4J 2 to version 2.16.0, which disables the compromisable functionality.
The security of your apps and user data is of utmost importance to us. Thank you for trusting your business to brainCloud!