Circonus Assessment Regarding the Log4j Vulnerability (CVE-2021-44228)

As you are likely already aware, on December 9, 2021, Apache disclosed that Log4j contains a critical vulnerability allowing for unauthenticated remote code execution.

This vulnerability – CVE-2021-44228 – is also known as Log4Shell or LogJam. This is a serious issue impacting a large number of applications, as it is commonly used by Java-based software.

Circonus is committed to the protection and safety of your data, and has been closely monitoring this issue. While Circonus’ Broker and Alerting systems make use of Log4j, we use a custom build based upon version 1.2.15 that is not affected by CVE-2021-44228. This version is also not affected by the previously reported CVEs related to Log4j 1.2.X.

Circonus takes the security of our customers very seriously, and upon learning about the Log4j flaw, we moved towards removing all use of Log4j from our software. We are now in the process of developing and releasing updates to address any lingering ambiguity concerning use of Log4j. We will be issuing additional communications about these updates when they become available. Please monitor your email for these announcements.

Issues such as the Log4j vulnerability disclosure may raise questions as to how Circonus protects you and your data. Circonus maintains the Circonus Security Working Group, a group of technical leaders within our company focused on addressing security issues like Log4j.

The Circonus Security Working Group closely follows disclosures and reallocates resources to minimize the impact of announced vulnerabilities. Circonus actively reviews our services and performs third-party pentests to both improve our cybersecurity posture and mitigate identified risks. We also reevaluate existing risk strategies for landscape changes that may raise the risk threshold beyond acceptable levels.

As always, please let us know if you have any questions.