Security Advisory

Alibaba Cloud Statement on the Impact Assessment of Apache Log4j2 RCE Vulnerability (CVE-2021-44228)

Dec 23, 2021

Last Updated Date: December 19, 2021

Alibaba Cloud is aware of the recently disclosed issues related to Apache Log4j2 remote code execution (RCE) vulnerability (CVE-2021-44228) and takes them very seriously. We have taken immediate action to mitigate security risks related to this vulnerability. We will continue monitoring the latest developments in regards to the Log4j2 vulnerability and deploy countermeasures as soon as they become available to ensure the security of our cloud products and services.

We highly recommend that our customers take stock of their applications and systems that make use of Log4j2 and ensure that they use the latest version (alternatively, enable automatic updates for these applications and systems). For more information or help, visit the Alibaba Cloud Customer Service page.

I. Alibaba Cloud Service Updates for Apache Log4j2 Issues

ECS
The versions of Log4j available in the public images of Elastic Compute Service (ECS) and Alibaba Cloud Linux images are not affected by CVE-2021-44228.

ApsaraDB RDS
ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, and ApsaraDB RDS for SQL Server are not affected by CVE-2021-44228 because these services do not use Apache Log4j2.

EIP
Elastic IP Address (EIP) is not affected by CVE-2021-44228.

MaxCompute
The services provided by MaxCompute are not affected by the vulnerability, but some internal non-service components of MaxCompute have Log4j2 dependencies. Alibaba Cloud has updated these components deployed in the Chinese mainland on December 15, 2021, and is rolling out the update in regions outside the Chinese mainland in phases. By default, MaxCompute provides an isolated environment for user-defined functions (UDFs), which prohibits customers from accessing external networks by using UDFs. Therefore, the risks of this vulnerability are controllable for UDFs. However, the UDFs may depend on data in other services. Therefore, we recommend that customers update Log4j2 in the UDFs to the latest version.

SLB
Fixes have been rolled out in the Server Load Balancer (SLB) modules that were affected by CVE-2021-44228.

ACK
Container Service for Kubernetes (ACK) is not affected by CVE-2021-44228.

SSL Certificates Service
SSL Certificates Service is not affected by CVE-2021-44228.

CDN
Fixes have been rolled out in the Content Delivery Network (CDN) modules that were affected by CVE-2021-44228.

OSS
External services of Object Storage Service (OSS) are not affected by CVE-2021-44228 because the services do not use Apache Log4j2.

ECI
Elastic Container Instance (ECI) is not affected by CVE-2021-44228 because ECI does not provide Java environment components by default.

RAM
External services of Resource Access Management (RAM) are not affected by CVE-2021-44228 because the services do not use Apache Log4j2.

Log Service
Log Service is not affected by CVE-2021-44228 because Log Service does not use Apache Log4j2.

Container Registry
Container Registry is not affected by CVE-2021-44228 because Container Registry does not use Apache Log4j2.

DataWorks
Emergency measures were taken on December 14, 2021 to mitigate the impacts of the CVE-2021-44228 vulnerability on the public cloud offering of DataWorks. Apache Log4j2 used by all the affected components of DataWorks is in the process of being updated to the latest version, and an announcement will be issued immediately after the update is complete. UDFs created in DataWorks are run in a security-hardened sandboxed environment, which presents a low security risk. However, the UDFs may depend on data in other services. We recommend that customers update Log4j2 in the UDFs to the latest version. To obtain more information, submit a ticket to Alibaba Cloud.

Security Center
Fixes have been rolled out in the Security Center modules that were affected by CVE-2021-44228.

WAF
Fixes have been rolled out in the Web Application Firewall (WAF) modules that were affected by CVE-2021-44228.

NAT Gateway
Fixes have been rolled out in the NAT Gateway modules that were affected by CVE-2021-44228.

Apsara File Storage NAS
The Log4j2 version used by the NAS console has been updated and NAS is not affected by CVE-2021-44228.

Domains
The Domains service has been updated against CVE-2021-44228.

DNS
Fixes have been rolled out in the Domain Name System (DNS) modules that were affected by CVE-2021-44228.

Quick BI
Quick BI uses a Log4j2 version that is not affected by CVE-2021-44228.

II. Notice to Customers

The Alibaba Cloud security team issued the Security Advisory on Apache Log4j2 RCE Vulnerability (CVE-2021-44228) (https://www.alibabacloud.com/notice/log4j2) at 23:00 PM UTC+8, December 16, 2021. Alibaba Cloud has notified all customers of the vulnerability by text message, email, and in-site message. We have also recommended customers to upgrade all affected applications and systems to the latest version. Alibaba Cloud will continue monitoring the latest developments in regards to the Log4j2 vulnerability and provide updates accordingly.