A Fairwinds Security Statement on The Apache log4j Vulnerability

Written By: Bill Ledingham

As we head into the new year, I want to share some recent concerns around the log4j vulnerability and the ongoing security of our Fairwinds software. It is critical that our customers and open source community understand we are aware of the issue and have remained unaffected by this new log4j security concern.

As enterprises continue to move into cloud native applications, to meet their competitive challenges and goals, the need for increased cloud security remains paramount. This reality has been addressed recently by the Biden Administration, who issued mandate orders for almost all federal agencies to patch hundreds of existing security vulnerabilities. It’s a move that can’t come soon enough, as evidenced by the latest vulnerability of note involving log4j, a widely used open source component.

What is log4j?

The zero-day vulnerability known as log4j has been described as one of the most serious security issues in recent years, allowing attackers to remotely execute code and gain access to machines. Not only is log4j simple to take advantage of, its ubiquitous nature means it can be easily embedded in a vast array of applications, services, and software tools-and employed by bad actors around the world.

Has Fairwinds been impacted by log4j?

No. As CEO and customer liaison here at Fairwinds, I want to reassure our customers and open source community that we are aware of this recently disclosed vulnerability in the OS Apache project log4j, referenced under CVE-2021–44228 and CVE-2021–45046.

Fairwinds has reviewed all of the open source projects we maintain and have not detected any presence of the log4j vulnerability or the aforementioned CVEs:

  • Polaris
  • Goldilocks
  • Pluto
  • Nova
  • Reckoner
  • Astro
  • Gemini
  • Saffire
  • RBAC-Manager

Furthermore, we want to confirm for our customers that Fairwinds Insights has not been affected by the log4j vulnerability.

What’s the lesson here?

This new vulnerability should serve as a critical reminder to folks in the industry-and users of open source software-as Kubernetes and virtual machines continue to heat up, keeping security top-of-mind will be paramount. The pandemic pushed the globe into remote work, forcing organizations to shift quickly to the cloud. This reality has lit a fire under the need for Kubernetes, containers-as-a-service and the virtual machine marketplace in general, but it has also created legitimate security concerns by opening up a world of new attack surfaces.

As a result, managed service providers (MSPs) will need to be proactive and able to provide services in a manner that puts security first, showing their ability to offer real protection. MSPs who offer the right consulting and resources will likely become trusted partners of customers looking to expand their suite of tools and stay current with industry trends.

--

--

--

Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Are Your Customers Who You Think They Are?

ReNFT Beta Version Launching Sooning

Gain access to an internal machine using Port forwarding — Setup experiment environment

Ethical conduct in cybersecurity research

{UPDATE} Touch the Wall: Multiplayer Hack Free Resources Generator

API’s Security 101 (2022 edition): Part 1

CEO Fraud: Protecting your business from Email Compromise

Ransomware: Threat to Businesses Globally

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fairwinds

Fairwinds

Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99

More from Medium

Technical Series: Kubernetes Networking

Patching Log4Shell in One Command Without Downtime Using Ephemeral Containers

Deploying Apps to a Local K3d Cluster

How I scored 100/100 in CKAD