A Fairwinds Security Statement on The Apache log4j Vulnerability
Written By: Bill Ledingham
As we head into the new year, I want to share some recent concerns around the log4j vulnerability and the ongoing security of our Fairwinds software. It is critical that our customers and open source community understand we are aware of the issue and have remained unaffected by this new log4j security concern.
As enterprises continue to move into cloud native applications, to meet their competitive challenges and goals, the need for increased cloud security remains paramount. This reality has been addressed recently by the Biden Administration, who issued mandate orders for almost all federal agencies to patch hundreds of existing security vulnerabilities. It’s a move that can’t come soon enough, as evidenced by the latest vulnerability of note involving log4j, a widely used open source component.
What is log4j?
The zero-day vulnerability known as log4j has been described as one of the most serious security issues in recent years, allowing attackers to remotely execute code and gain access to machines. Not only is log4j simple to take advantage of, its ubiquitous nature means it can be easily embedded in a vast array of applications, services, and software tools-and employed by bad actors around the world.
Has Fairwinds been impacted by log4j?
No. As CEO and customer liaison here at Fairwinds, I want to reassure our customers and open source community that we are aware of this recently disclosed vulnerability in the OS Apache project log4j, referenced under CVE-2021–44228 and CVE-2021–45046.
Fairwinds has reviewed all of the open source projects we maintain and have not detected any presence of the log4j vulnerability or the aforementioned CVEs:
Furthermore, we want to confirm for our customers that Fairwinds Insights has not been affected by the log4j vulnerability.
What’s the lesson here?
This new vulnerability should serve as a critical reminder to folks in the industry-and users of open source software-as Kubernetes and virtual machines continue to heat up, keeping security top-of-mind will be paramount. The pandemic pushed the globe into remote work, forcing organizations to shift quickly to the cloud. This reality has lit a fire under the need for Kubernetes, containers-as-a-service and the virtual machine marketplace in general, but it has also created legitimate security concerns by opening up a world of new attack surfaces.
As a result, managed service providers (MSPs) will need to be proactive and able to provide services in a manner that puts security first, showing their ability to offer real protection. MSPs who offer the right consulting and resources will likely become trusted partners of customers looking to expand their suite of tools and stay current with industry trends.