The Impact of the Apache log4j Vulnerability (CVE-2021-44228) on SimpleRisk

Log4Shell Vulnerability

As most security practitioners are already aware, on December 9, 2021, a remote code execution (RCE) vulnerability in Apache Log4j 2 was identified as being exploited in the wild.  A public proof-of-concept (POC) has been released and subsequent investigation has revealed that the exploitation is incredibly easy to perform, simply by sending a specially crafted request to a vulnerable system.  With thousands of applications using the Apache Log4j 2.x functionality, many of which being publicly available on the Internet, this has caused security practitioners to work overtime since it's discovery, trying to identify and mitigate this widespread threat.

Here at SimpleRisk, we've also taken the time to assess our environments against the Apache Log4j 2 vulnerability.  We've analyzed the impact for both our On-Premise and Hosted customers and determined that there should be no impact to either.

For our On-Premise customers, SimpleRisk is typically deployed on a Linux-based system running Apache HTTPD Server, PHP and either MySQL or MariaDB.  We have searched the websites for these software vendors, as well as look through multiple announcements, and have found no indication that any of these applications are impacted.  As a result, we don't believe that any of our standard deployment methods for an On-Premise customer would be impacted by this vulnerability.

For our Hosted customers, we deploy a similar stack to that which is described above, with each customer environment being deployed into either a Kubernetes/Docker environment (for Hosted Small Enterprise) or a dedicated AWS Virtual Private Cloud environment (for Medium and Large Enterprise).  As each of these environments is logically separated from one-another, and no part of the application stack utilizes Log4j, we believe that no Hosted customer would be impacted by this vulnerability, either.

As this is a rapidly evolving threat, and not all vendors have issued advisories for it yet, we will continue to monitor the situation and react accordingly.  If you have any questions, please feel free to contact us.  Thank you.

assessment SimpleRisk vulnerability