Is Digital Theatre+ vulnerable to CVE-2021-44228 (Apache Log4j2)?

This article provides detail on why Digital Theatre+ is not affected by this vulnerability

A critical zero-day vulnerability in Apache log4j2 <=2.14.1 was identified by Chen Zhaojun of Alibaba Cloud Security Team and reported by the project Thursday 9 December  2021.  The vulnerability allows an attacker to easily exploit the bug with a single line of payload and get code execution on the vulnerable system. 

More information about the vulnerability can be found on the Common Vulnerabilities and Exposures (CVE) website entry for CVE-2021-44228

What is Log4j?

Log4j 2 is a popular Java logging framework developed by the Apache Software Foundation.

Digital Theatre+ 

Digital Theatre+ uses a number of components from major cloud providers.  Digital Theatre+ is satisfied that our platform is not exposed to this vulnerability.

All of the code created and hosted by Digital Theatre+ uses JavaScript, TypeScript, Node.js and Next.js, with associated JavaScript libraries.

Following is a list of the major components of our system with reference to vulnerability statements:

AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. 

AWS API Gateway
AWS are updating API Gateway to use a version of Log4j2 that mitigates the issue.

AWS CloudFront
CloudFront services have been updated to mitigate the issues identified in CVE-2021-44228. The CloudFront request handling services that run in our POPs are not written in Java and therefore were not affected by this issue.

RDS-built relational database engines do not include the Apache Log4j library.

AWS DynamoDB 
Amazon DynamoDB and Amazon DynamoDB Accelerator (DAX) have been updated to mitigate the issues identified in CVE-2021-44228.

AWS OpenSearch
Amazon OpenSearch Service is deploying a service software update, version R20211203-P2, which contains an updated version of Log4j2. AWS will notify customers as the update becomes available in their regions, and update this bulletin once it is available worldwide.  Digital Theatre+ is comfortable with this, as only content information is stored in OpenSearch.

Okta has confirmed that the products and components used by Digital Theatre+ are not affected.

Cloudflare has confirmed that they have completed remediation steps and do not believe their platform was compromised.

Contentful's security team confirmed that Contentful is not using log4j in their platform. All Contentful's logging pipelines utilise another solution for log collection. 


Further information