Dear ControlUp customers,
On Friday, December 10th, the world became aware of a zero-day critical-severity exploit in the Log4j 2 logging library, CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
, also known as Log4Shell.
This vulnerability potentially allows attackers to execute code on backend servers that log unescaped user input, thereby taking over these machines and potentially installing malware, stealing user data, or worse.
We at ControlUp are confident that our production environment is patched against this Log4Shell vulnerability. Our ControlUp Security and DevOps teams have taken the following steps to mitigate the Log4Shell CVE:
● Verified that ControlUp components deployed at customer sites do NOT include the vulnerable Log4j library. This includes the following software components:
▪ Real-Time DX Agent
▪ Real-Time DX RT Console
▪ Real-Time DX Monitor service
▪ Real-Time DX On-Premises Server (COP)
▪ Insights On-Premises (IOP)
▪ Solve On-Premises (SOP)
▪ Remote DX Plug-ins
▪ Edge DX Agent
▪ Scoutbees Custom Hive
● Reviewed all ControlUp back-end components and servers in order to detect the vulnerable Log4j library.
● Mitigated relevant back-end components by either patching the library, configuring the Log4j configuration file, or upgrading the Java virtual machines (JVM).
These steps we have taken safeguard your ControlUp environments against the Log4Shell vulnerability. No further actions are required by our customers.
If you have any questions, please contact us via email@example.com
ControlUp Security Team