On December 9th, a Critical 0 Day vulnerability (CVE-2021-44228) was disclosed by Apache regarding their Log4j utility. This document provides an overview of our investigation and other mitigatory efforts.
❓ FAQ
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability does not directly affect Whistic. The Log4j library is a commonplace library in the Java programming language, and while a significant portion of Whistic is built on Java, the Log4j utility is not used within the application. Whistic uses ElasticSearch, Logstash, and FeatureHub, all of which use Log4j by default; as soon as we were made aware of this fact, we effectively removed these services from the Whistic environment until a patch was made available.
On Monday, December 13th, upon confirming an update to version 2.15 was available for each of the above-mentioned services, we installed and tested the update prior to restoring these services.
Update: On Wednesday, December 15th, Whistic was notified of a vulnerability associated with Log4j v.2.15. Upon discovering this vulnerability, we also were made aware that v.2.16 was released, which would mitigate this issue. This patch was immediately applied and tested for efficacy on each of the above-mentioned services.
For more information please click here