Pharos Products and Log4j Exploit

December 15th Update: This blog post has been updated with new information as we learn more. For the latest information on Log4j impact on Pharos products and how we’re mitigating the risk of this exploit, please visit our Community Page. 

Background

Recently, a new zero-day vulnerability in the popular Java library Apache Log4j (CVE-2021-44228) was uncovered. This vulnerability allows attackers to inject arbitrary code in Log4j versions 2.0-2.14.1. This Java library is widely used by multiple closed and open source projects. 

This vulnerability is rated critical (CVSS severity level 10 out of 10), with immediate patching or mitigation recommended if affected, because it allows a possible Remote Code Execution when an attacker sends a malicious code string that gets logged by Log4j. That string allows the attacker to load Java onto a server and therefore take control. 

Impact of Apache Log4j Exploit on Pharos Products

After initial review, Pharos believes that Pharos customers are not impacted by the Log4j JNDI exploit.  

A non-customer facing cloud component used by Pharos was potentially susceptible to log4shell – specifically ElasticSearch, which is used by Pharos to log events across our infrastructure. We have applied patches to all production environments. In addition, Pharos has scanned all our logs and confirmed that no attempts were made to exploit this vulnerability.  

Pharos uses Java in our embedded solutions for some devices; however, the vulnerable library version is not used. 

For more detail and up-to-date information, please visit our technical page on this topic on our community site. If you have further questions, please reach out pharossecurityteam@pharos.com.