Update Dec 17, 2021
On December 9th, 2021, a high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1. To the extent of our current knowledge, this CVE has no impact on GitGuardian's Internal or Public Monitoring applications. Our engineering and site reliability teams began working to evaluate all of our products and internal services for any potential impact, here are our findings:
- GitGuardian's Internal and Public Monitoring applications are not written in Java. In addition, no update is required for customers using the GitGuardian Internal Monitoring On-Premise version as it doesn't include any Java components.
- GitGuardian SaaS uses some Elastic products, namely for logging purposes. Elastic officially published a security document listing the potential impacts on their products.
In our case:
- Elasticsearch clusters: Our internal Elasticsearch clusters are not exposed on the Internet. We have only whitelisted our secure SSH Bastions and our AWS instances' public IP ranges.
- Logstash: Our internal Logstash servers are not exposed on the Internet. They can only be accessed from a subset of our AWS instances. Since they can be handling arbitrary data, we enabled log4j2.formatMsgNoLookups on every Logstash instance and upgraded to the latest version.
- Elastic Cloud: As announced by Elastic, it is not vulnerable to the RCE (Remote Code Execution).
- We use AWS Web Application Firewall in front of all our environments. Beginning Saturday the 11th, AWS WAF detects and filters all attacks with a rule called "Log4JRCE".
- We are in the process of securing our Elasticsearch servers to avoid any internal escalation or attack.
Out of an abundance of caution, we will continue to review all recommended mitigations and monitor the situation closely. We take our obligation to protect your data very seriously. Please reach out to firstname.lastname@example.org if you have any questions.
- 2021-12-17: Email communication sent to all GitGuardian Internal and Public Monitoring users to notify them of the absence of impact of this CVE on GitGuardian’s systems.
- 2021-12-14: Original communications sent to GitGuardian Internal and Public Monitoring customers who have inquired, notifying them of ongoing investigation efforts.