CVE-2021-44228 - log4shell / log4j Vulnerability Analysis

Issue

A potentially critical 0-day exploit CVE was identified on Dec 10, 2021.  https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Armory has investigated this 0-day critical issue, and has performed analysis on the vulnerability and its potential for harm to Armory Enterprise customers.  

Cause

The vulnerability exposes a remote-execution vulnerability in services that use log4j. Spinnaker services use logback, a different logging implementation. Here are some examples of how the vulnerability might be exploited:https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/https://www.lunasec.io/docs/blog/log4j-zero-day/#example-vulnerable-code The affected class org.apache.logging.log4j.core.lookup.JndiLookup is not bundled with Armory Enterprise. This was validated by inspecting service dependencies, logs from active services and thread profiling services to ensure the affected class is neither packaged or used.