Chat with us, powered by LiveChat Skip to main content
Echo360 Status: 

EchoVideo: Log4j2 CVE-2021-44228 Vulnerability

Paul Hendrix
  • Updated

Summary

EchoVideo has evaluated our systems and has been in touch with vendors we utilize regarding CVE-2021-44228 which impacts the Apache Log4j2 utility.

We have identified no impact to our services at this time.

Background

CVE-2021-44228 is a security vulnerability found in the Apache Log4j2 utility. This utility is used for log message generation in several popular Java applications.  This vulnerability could allow for remote code execution in compromised systems. 

Full details of the vulnerability are available here:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Current EchoVideo Status

Any EchoVideo system that was potentially using log4j2 was remediated immediately upon our notification of the vulnerability (9-10 Dec 2021), through updates to the log4j2.formatMsgNoLookups system property and/or by updating log4j2 to version 2.15.0.

Update for 2.16 and 2.17

The 2.16 and 2.17 versions of the log4j2 vulnerability affect non-default PatternLayout configurations that utilize a context lookup. We have reviewed our environment and have ensured EchoVideo does not use this functionality. EchoVideo is not impacted by either the 2.16 or 2.17 updates of this vulnerability.

 

Response Actions Taken

  • Required actions were determined by our Site Reliability Engineering team as soon as the vulnerability was announced.
  • We reviewed our systems and we are certain that no EchoVideo services have been compromised by this threat.
  • We have reviewed our systems and determined we are not impacted by either the 2.16 or 2.17 updates to the vulnerability as we do not utilize the impacted features in any way.
  • We continue to actively work with our partner vendors, in particular, PingIdentity, our SSO service provider, given the nature of the vulnerability. At this time, we have found no service to be/have been impacted.