As you may or may not be aware a high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 465 utility was disclosed publicly via the project’s GitHub 862 on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.
Out of the services provided by MDOQ the only service that has potential to be effected is Elasticsearch. All platforms supported by MDOQ (Magento 1, Magento 2, Vue Storefront Frontend and Vue Storefront Backend) are able to use Elasticsearch.
The exploit targets a sub service (Apache Log4j 2) used by Elasticsearch. For it to be exploited un-sanitized input must be passed onto Log4j via Elasticsearch.
For customers using MDOQ production hosting and for development instances
Because MDOQ uses isolated services that aren't directly exposed to the internet this would mean for an attack vector to be valid the attacker would have to pass an input through your application, which would get passed onto Elasticsearch, which would then be passed onto Log4j. e.g for Magento this would be:
User Input => Magento => Elasticsearch => Log4j
There are no recorded valid entrypoints that would allow this at the time of writing though we continue to investigate and watch for updates.
With this in mind, we still recommend following the mitigation advice below to ensure you are secure should such a path be found.
For customers hosting/managing their own infrastructure
Depending on how your site is configured you may be exposing Elasticsearch / Log4j directly to the internet in which case we strongly recommend following the mitigation advice below as soon as possible.
Mitigation Advice
The following mitigation advice has been compiled using the information and recommendations from: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
| Version | EOL Date | Is EOL | JDK Version | RCE Vulnerable | Info Leak Applicable | Mitigation / Action Required |
| 2.4.6 | 2018-02-28 | Yes | 1.8.0_181 | Yes | Yes | Upgrade Elasticsearch |
| 5.6.4 | 2019-03-11 | Yes | 1.8.0_141 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.10 | 2019-03-11 | Yes | 1.8.0_171 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.11 | 2019-03-11 | Yes | 1.8.0_181 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.12 | 2019-03-11 | Yes | 1.8.0_181 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.13 | 2019-03-11 | Yes | 1.8.0_191 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.14 | 2019-03-11 | Yes | 1.8.0_191 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.15 | 2019-03-11 | Yes | 1.8.0_191 | Unknown | Yes | Upgrade Elasticsearch |
| 5.6.16 | 2019-03-11 | Yes | 1.8.0_201 | Unknown | Yes | Upgrade Elasticsearch |
| 6.3.1 | 2019-12-05 | Yes | 10.0.1 | No | No | No action required |
| 6.8.12 | 2022-02-08 | No | 14.0.1 | No | No | No action required |
| 7.6.0 | 2021-08-11 | Yes | 13.0.2 | No | No | No action required |
| 7.6.1 | 2021-08-11 | Yes | 13.0.2 | No | No | No action required |
| 7.6.2 | 2021-08-11 | Yes | 13.0.2 | No | No | No action required |
| 7.8.1 | 2021-12-18 | No | 14.0.1 | No | No | No action required |
| 7.9.0 | 2022-02-18 | No | 14.0.1 | No | No | No action required |
EOL - End Of Life
RCE - Remote Code Execution