What is Log4Shell and how it affects Ava Security

   Tom Barton, December 15 2021
2 mins

On Friday 10th December at 10:48 the Ava Product Security Team were notified about CVE-2021-44228 commonly referred to as “Log4Shell”. This vulnerability affects the Java logging library Log4j and can allow an attacker to achieve remote code execution (RCE) on a targeted system. You can find more information about the issue here:

https://logging.apache.org/log4j/2.x/security.html

Update (Monday 20th December): The Ava Product Security team have also reviewed the impact of CVE-2021-45046 + CVE-2021-45105 and have updated the information below.

What is Log4Shell (CVE-2021-44228 + CVE-2021-45046 + CVE-2021-45105)

A logger is a piece of software that keeps a record of what’s happened on a computer system; the logs themselves can be used to determine if software is running smoothly. They also capture data in the run up to an error.

Log4j also performs some basic operations to make the output easier to understand. One of these operations is variable substitution, which searches for patterns like ${something}, and replaces them with other pieces of information. 

Replacement of the ${jndi: string can under specific circumstances load external Java resources due to a  vulnerability in the Log4j library.

It’s entirely possible for attackers to sneak variable substitution patterns into logs by including them in things like HTTP headers, or input fields.

The Ava approach to security

At Ava we have a number of automated systems which scan our code to detect the use of third party libraries and detect any vulnerabilities which they could introduce, such as the Log4Shell exploit.

Ava’s Product Security Incident Response Team (PSIRT) and Internal Blue Teams have launched an internal investigation into the impact of this vulnerability across our products, services, and internal business tools.

Here at Ava we take security very seriously as a ISO 27001 certified company. We have strong internal security controls and processes to ensure the security of customer data even in the event of a vulnerability in third party software. 

We are continually reviewing our internal systems and can confirm the status of the below:

  • Reveal Infrastructure: Our use of secure defaults within the JVM already provides mitigations against this exploit. Please contact your support representative for more information about your deployment.
  • Reveal Cloud: As of Thursday 16th December this issue has been mitigated on both US and EU cloud instances.
  • Reveal Agent: all versions - NOT Impacted
  • Ava Aware:
    • All Stable versions - NOT Impacted
    • All Beta versions - NOT Impacted
  • Ava Cameras:
    • All Stable versions - NOT Impacted
    • All Beta versions - NOT Impacted
  • Ava Aware Mobile Apps (IOS + Android) - all versions - NOT Impacted
  • Ava Cloud (DMP) - NOT Impacted
  • Reveal MSSP - - NOT Impacted

We have reviewed our internal logs and have been unable to find any indication of  compromise.

We are actively monitoring and reviewing our internal systems and will publish a full security advisory to our support portal once these investigations have concluded. 

If you have any further questions please contact the Ava Security team.

Last Updated: 2021-12-20T16:30:00