Is EBSI affected by the Log4j Vulnerability?
What is Log4j?
Software developers use the Log4j framework to record user activity and the behavior of applications for subsequent review. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications. The software is maintained by Apache volunteers, five of whom have worked around the clock in recent days to release security updates.
What is the Vulnerability?
The Log4j flaw, disclosed by Apache last week, allows attackers to execute code remotely on a target computer, meaning that they can steal data, install malware or take control. Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency, while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure.
Apache's security page for Log4j is available here: https://logging.apache.org/log4j/2.x/security.html
Is EBSI Affected?
The actual EBSI APIs are not using Java so therefore are not affected.
However the EBSI node has several Java based components:
Hyperledger Besu (now updated with a fix) - note that remote access to our Besu clients are also restricted to EBSI nodes by IP ACL, so any remote exploit prior to the fix was not possible outside of the EBSI network.
EBSI also uses Java on some servers for infrastructure and tests:
Puppet server (used for EBSI infrastructure: does not use log4j)
SonarQube (used for EBSI tests: now reconfigured with a fix)
We will continue to monitor this situation and update any components where required.
Further Reading
Below are further links regarding the vulnerability and how the components we use have dealt with the issue.
Besu
original fix (deployed on EBSI): https://github.com/hyperledger/besu/pull/3151
second fix (does not affect us): https://github.com/hyperledger/besu/pull/3175
Cassandra Not vulnerable: https://lists.apache.org/thread/2rngylxw8bjos6xbo1krp29m9wn2hhdr
Puppet Not vulnerable: https://puppet.com/blog/puppet-response-to-remote-code-execution-vulnerability-cve-2021-44228/
SonarQube mitigation fix (deployed on EBSI): https://community.sonarsource.com/t/sonarqube-sonarcloud-and-the-log4j-vulnerability/54721