Since December 11, 2021, various channels (including the BSI  and CISA ) have been warning about the existence and exploitation of a vulnerability in the Java library "Log4j" (zero-day attack, CVE-2021-44228).
Is Hornetsecurity affected?
Hornetsecurity Group has high requirements for its own IT security. We perform automated vulnerability scans at regular intervals to mitigate IT security threats at an early stage. The processes established have helped us to quickly address the new risk in order to protect our infrastructure and services.
The Hornetsecurity Group systematically checked it's systems to determine whether the vulnerability in question posed a direct or indirect threat. For this purpose we have
- performed an automated vulnerability scan
- checked the software packages and dependencies installed on the respective systems
- reviewed statements from third-party vendors whose software packages we use and compared them with our findings
Primary infrastructure (used for direct processing of customer data)
Systems at this level are not affected by the vulnerability.
Secondary infrastructure (downstream systems that indirectly process customer data).
We have identified systems used to process metadata that are affected by the vulnerability.
As an immediate measure, the workarounds recommended for mitigation have already been implemented. The network segments of the affected systems are only enabled for communication with systems of the primary infrastructure, outgoing traffic is blocked.
As a result, a theoretical outflow of data to third parties, which could be possible by exploiting the gap, isn't possible in our case.
Systems will be patched outside of Central European business hours, beginning 13th December 2021. We expect the patches to be rolled out to all systems no later than 19th December 2021. We do not expect any service disruptions.
Tertiary Infrastructure (support and internal development systems that do not connect to service delivery systems)
Systems affected by the vulnerability have been identified. Access is only available to technical staff. The risk of exploitation of the vulnerability is considered to be very low.
The affected systems will be patched on an as-needed basis within the next 7 days.
Can Hornetsecurity detect Log4j attacks and am I protected?
We have detailed the background of the security vulnerability in our blog, a detailed answer to this question can be found in our blog post.
The internal maintenance work on the critical vulnerability CVE-2021-44228 (log4j / log4shell) was completed by 19.12.21, 18:00, as announced.
We have assessed the newly reported vulnerabilities CVE-2021-45046 and CVE-2021-45105 concerning the Java library "log4j" with significantly lower risk. CVE-2021-45046 describes a new remote code execution vulnerability with a CVSS base score of 9.0. CVE-2021-45105 is a denial of service vulnerability with a CVSS base score of 7.5.
Again, external systems are not affected. Our internal security team thoroughly analyzed our secondary and tertiary systems to determine whether our systems are affected and can be exploited by the newly identified vulnerabilities. Our mitigations applied against CVE-2021-44228 reduce the risk of exploitation through the CVE-2021-45046 (RCE) vulnerability remarkably. CVE-2021-45105 (DoS) does not affect our system. All systems got or will get patched as soon as patches become available by the vendors. Until then, deployed mitigations are in effect to secure our systems and services.
We continue to monitor and assess all incoming vulnerability reports 24x7 in order to derive and implement any necessary measures to maintain security at short notice. The availability of the Emergency Response Team is also ensured over the upcoming holidays.