Impact of Apache Log4j Vulnerability (CVE-2021-44228) on MetricStream
UPDATE (17-Dec-2021, 11:00 AM PST) for Cloud customers
MetricStream’s status remains the same.
Oracle Database Status
We are in continuous discussions with Oracle as updates to their guidance have occurred almost daily since the discovery of the vulnerability. Currently the only versions impacted are Oracle Database 12.2.0.1. Other versions of Oracle Database are not impacted, as the vulnerable file is inactive(off) in those versions.
MetricStream has reviewed the Oracle update from December 16th and based on that, has tested a revised fix from Oracle which does not require immediate patching. MetricStream has also scanned our entire cloud environment and more specifically, ascertained any customers impacted. If the vulnerable subcomponent of the Oracle Database Version 12.2.0.1 is turned on in the MetricStream cloud for a customer’s platform MetricStream would like to turn it off. This action WILL REQUIRE a DATABASE RESTART, briefly disrupting service. The MetricStream account team will reach out to IMPACTED CUSTOMERS to schedule the restart. Please contact your account team if you have questions.
UPDATE (17-Dec-2021, 10 am PST) for On-Premise customers
MetricStream’s status remains the same.
Oracle Database Status
We are in continuous discussions with Oracle as updates to their guidance have occurred almost daily since the discovery of the vulnerability. Please follow the guidance on the Oracle Support Site and reach out to your MetricStream team if you require assistance. You must log into Oracle Support to view these documents.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=287805447847025&id=2827611.1&_afrWindowMode=0&_adf.ctrl-state=qnheccoij_53
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=287859041456708&id=2796575.1&_afrWindowMode=0&_adf.ctrl-state=qnheccoij_151
UPDATE (16-Dec-2021, 9 am PST) for Cloud customers
MetricStream’s status remains the same.
Oracle Database Status
Oracle has revised the status of the impacts of the Log4Shell vulnerability. While Oracle Database are still listed as “Products Not Requiring Patches”, Oracle has provided guidance on an appropriate patch level for customers on Oracle Version 12. For those customers requiring patching of the database, your MetricStream account team will reach out to you to schedule the deployment of the Mandatory Patch. Patching will require a downtime window which can be negotiated to meet the needs of your business.
Interim Mitigation and Compensating Controls in Prior to Mandatory Oracle Patching
Summary: MetricStream believes the architecture, robust security controls, and vulnerability automated protects, minimize the risk of exploitation of the vulnerability for the following reasons:
- Cloud Databases are NOT accessible from external networks
- Internal Access to Cloud databases is controlled by a Privileged Access Management System
- Trend Micro Deep Security is in place to automatically prevent exploit of the vulnerability
- MetricStream’s Database and Network Architecture
- MetricStream has a 24x7 Security Operations Center monitoring attempted attacks
MetricStream’s perimeter access controls for inbound traffic from the Internet is designed to deny access by default and only authorized access to the MetricStream cloud or those customer whitelisted IP address can gain access to MetricStream systems. In addition to network and security controls. MetricStream has a strict policy for access to systems.
Access is controlled by under a least privileged policy. Access to systems and the database is authenticated via 2 factor or multi-factor authentication for all Support and Operations staff.
All MetricStream database servers have Trend Micro Deep Security installed. MetricStream’s Trend Micro signatures have been updated to prevent the current vulnerability from being exploited if an attempt is made.
MetricStream customer database deployment design ensures customer databases, through access lists, firewalls, security groups (AWS) and network security groups (Azure) are prevented from direct communication outside the MetricStream cloud. MetricStream customer databases and can only communicate to the MetricStream application servers internal to the MetricStream cloud. The Log4Shell (RCE) vulnerability requires an attacker to have access to the vulnerable server, which MetricStream denies by default to the database servers, to exploit and gain access to the system.
In the event of any anomalies in the MetricStream Cloud, the Security Operations Center is proactively notified and triages the alert or escalates to Cloud Support.
UPDATE (15-Dec-2021, 9 am PST) for On-Premise customers
MetricStream’s status remains the same.
Oracle Database Status
Oracle has revised the status of the impacts of the Log4Shell vulnerability. While Oracle Database are still listed as “Products Not Requiring Patches”, there is a caveat for “Oracle Database (not exploitable) [Product ID 5] [See MOS Note 2796575.1]. Please review the MOS notes and take the appropriate actions. The links below provide further details. You must log into Oracle Support to view these documents.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=287805447847025&id=2827611.1&_afrWindowMode=0&_adf.ctrl-state=qnheccoij_53
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=287859041456708&id=2796575.1&_afrWindowMode=0&_adf.ctrl-state=qnheccoij_151
UPDATE (14-Dec-2021, 10 am PST)
We continue to monitor what seems to be a fluid situation in the recognition of the impacts of the Log4Shell vulnerability for some of our suppliers. We continue to get updates and will keep you posted on any changes.
MetricStream’s status remains the same.
INITIAL UPDATE: MetricStream’s Status (13-Dec-2021, 06:30 pm PST) MetricStream Platform & Products (includes Briefcase) are not affected by Log4Shell Vulnerability (CVE-2021-44228). MetricStream Platform & Products use Log4J (version 1.2.17) and this version does not have this vulnerability. MetricStream has verified that the class file (JndiLookup.class) that has this vulnerability is not present in the version of Log4j (1.2.17) that it uses.
MetricStream Installer is a tool used for installation and upgrades of MetricStream software. This tool is separate from MetricStream Platform & Products and is always executed locally for performing installation/upgrade tasks and is not accessible remotely. This tool uses the vulnerable version of Log4j (version 2.1). MetricStream is implementing the steps to mitigate this vulnerability and will be upgrading to the latest version of Log4j (version 2.15) where this vulnerability is addressed. Currently the risk for exploitation of this vulnerability is almost nil as MetricStream Installer is only executed during Installation and/or Upgrade of MetricStream software (which is a planned activity and executed only on a need basis), it is only executed locally and is not accessible remotely.
Risk Impact report for Log4j vulnerability