Is xMatters impacted by the recently announced potential vulnerability in Apache's Log4j utility?
During the investigation of this vulnerability, the teams discovered that a small subset of customers using versions 5.5.274 to 5.5.277 of the EPIC data sync tool could potentially be subject to this exploit, depending on the configuration of other components in their systems. Customer Support has already communicated directly with all of the customers who could be affected to ensure that they are protected, and the Engineering team has produced a new version of the EPIC client (5.5.279) and made it available for download.
At this time, we have not identified any other instances of this vulnerability affecting the main xMatters platform or any potential security risks to our services, including the Integration Agent and xMatters Agent.
The National Institute of Standards and Technology (NIST) recently announced that they had identified a potential vulnerability in Apache's Log4j utility. Full details of the vulnerability can be found on the NIST web site at https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Since the vulnerability was identified, the xMatters Security and Engineering teams have been extensively reviewing and testing all implementations of xMatters that use Log4j. The teams have confirmed that the xMatters service does not use the library that contains the vulnerability in Log4j2 identified by the NIST in CVE-2021-44228. We have a regular cadence of security scans looking for vulnerabilities and take action whenever possible and prudent to harden our software and services. Because these scans are constant and ongoing, the teams are able to correct for certain issues well before they become public.
In the interests of security, we will not be releasing a list of the versions and components currently in use. We can, however, confirm that the components required to perform a successful attack using this exploit are not and were not exposed in xMatters at any time.
The teams are continuing to test and monitor the system, and we will update this article as necessary.
NIST released a follow-up notice, CVE-2021-45046, that identified a vulnerability in the fix for the original Log4j2 issue. This vulnerability only impacted implementations that were affected by the initial issue and had applied the fix for CVE-2021-44228, and did not impact xMatters, the xMatters Agent, or the Integration Agent. The 5.5.279 version of the EPIC client also addresses the vulnerability identified in the follow-up notice.
Some customers have inquired about further NIST notices regarding Log4j. We can also confirm that the following notices do not impact xMatters:
- CVE-2021-4104: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
- CVE-2021-45105: https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- CVE-2021-44832: https://nvd.nist.gov/vuln/detail/CVE-2021-44832
Customers concerned about the Integration Agent's use of an older version of Log4j can now download version 5.4.0, which now includes Log4j2.