We have been closely monitoring the situation around Log4Shell vulnerability. At this stage, it seems that situation around the vulnerability has stabilized and no new avenues for exploitation are coming up.
We are marking this incident as "Resolved", but continue to monitor the situation.
Posted Jan 31, 2022 - 14:51 EET
We have implemented an applicable fix to all Ambientia managed environments we have deemed this vulnerability has had an impact to. We have concluded that only safe way to temporarily mitigate this vulnerability is to completely remove the JndiLookup.class wherever it is found and not used. Thus far no environments have been identified where the class would have legitimate use.
We have received a lot of inquiries from our Atlassian customers regarding the impact of this vulnerability to their environments and would like to direct your attention to the Atlassian's official security advisory available here. Only affected Atlassian product is Atlassian Bitbucket, where we have implemented the aforementioned fix to all Ambientia managed Bitbucket instances. We are actively checking the situation with Atlassian plugin vendors whose plugins are used in Ambientia managed Atlassian instances but thus far all plugin vendors that have responded to our inquiry have reported their plugins not being vulnerable. We are still continuing this investigation. If vulnerable plugins are found, we will update this page and also be in direct contact with affected customers.
The situation around the vulnerability continues to evolve and we are closely monitoring updates from vendors, governmental cyber security agencies and disclosures independent security researches.
Posted Dec 18, 2021 - 13:14 EET
During Monday 13th of December we have been further able to conclude that a vast majority of Ambientia provided services based on Spring Boot technology are not vulnerable as log4j2 is not used as the logging implementation.
Out of abundance of caution we are implementing a vendor suggested fix to all environments that use Elasticsearch, even though avenue for exploitation looks small. We will directly contact customers if deployment of the fix will affect delivery of their service.
Posted Dec 13, 2021 - 12:44 EET
On Friday 10th of December 2021, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. This has now been published as CVE-2021-44228.
We are working on identifying the impact of this vulnerability to Ambientia provided services. Thus far we have concluded that Ambientia managed environments based on Atlassian and Liferay technology are largely not impacted by this vulnerability as these stacks rely on a older version of log4j-library (1.x) that is not vulnerable on the configuration it is used in these services.
We are closely monitoring the situation and will implement any fixes, mitigations and upgrades suggested by our technology vendors.