Scalyr and the Log4j Vulnerability

Executive Summary

  • A new critical remote code execution vulnerability in Apache Log4j2, a Java-based logging library is being tracked as CVE-2021-44228
  • Scalyr, a SentinelOne company, is committed to industry-leading standards for security.  We have addressed the vulnerability in our hosted services and code repositories; details are included below.

Scalyr – SaaS

As a SaaS company, Scalyr hosts services to support log ingestion, query, and public API activities.  While we do not make direct use of log4j2, some of our services included impacted libraries as a secondary dependency.

  • As of 10-DEC-2021, all Scalyr hosted services were patched and deployed with the jvm flag remediation (-Dlog4j2.formatMsgNoLookups=true) in place, putting all infrastructure in a secure position safe from possible exploit.
  • As of 14-DEC-2021, all Log4j2 dependencies were updated to patched versions and new builds were deployed to production.

Scalyr – Code Repositories

Scalyr provides GitHub repositories containing utilities for customers to deploy and execute within their own systems.

  • As of 10-DEC-2021, any Log4j2 dependencies in Scalyr repositories were removed or updated to patched versions.
  • The Scalyr Agent contains no Java code and is not vulnerable.
  • The Scalyr Logstash Output plugin did contain a vulnerable version bundled as a transitive dependency, however it was not used anywhere, limiting the impact.  The plugin has been updated to stop bundling the direct and transitive dependencies. We recommend users update to the latest version of this plugin as well as update Logstash itself.
  • The Kafka Connect Scalyr Sink plugin has been patched to reference a new version of log4j that does not contain the exploit. We recommend users update to the latest version of this plugin.
  • The Scalyr Java Client, Fluentd Plugin, Grafana Datasource Plugin, Helm Chart, and Command-Line Tool are not vulnerable.

Conclusion

Scalyr, a SentinelOne company, is committed to industry-leading standards for security, both in our hosted services and customer solutions.  We urge all Log4j2 users to patch their version as the most effective way to mitigate the vulnerability.

If you are interested in reading more about SentinelOne’s response to this CVE, please read this blog post. SentinelOne continues to actively monitor the situation and collaborate with industry partners to improve the collective defense of our customers and all Internet users.

If you have any questions about our mitigation efforts or steps you should take, please do not hesitate to reach out to your Customer Success representative or [email protected].