The cybersecurity community appears to be in agreement when they reference Log4j as the most important vulnerability of 2021.
Here at JetRails, we’re glad to report that most of the systems we use, both internally and as part of the single-tenant hosting environments that we provide for our clients, were unimpacted. However, that’s not to say that we didn’t move quickly to patch some specific software that did utilize or include Log4j.
At the edge, unless a client specifically requests otherwise, we use Cloudflare’s web application firewall (WAF) as one of many components in our advanced security stack. Cloudflare’s systems have been virtually patching against this threat since it became public knowledge. This has minimized the potential impact of this security hole on our user base by blocking malicious requests before they reach the application server even though the origin server is not running a vulnerable version of the software.
Regarding software that we looked to manually patch, ElasticSearch was our top initial concern as it’s used by most Magento 2 websites. Fortunately, the versions of ElasticSearch that we use are not vulnerable to these RCE exploits. However, we have been rolling out patches to our systems so that they’re hardened against this type of attack in general.
The next key system that we looked to was cPanel. As we have not been recommending cPanel for Magento 2 environments, very few of our customers were impacted. That being said, we have rolled out the required patches to all cPanel environments that we manage.
It’s worth noting that the original patch that was created to address the Log4j vulnerability (2.15.0) turned out to need an update, so when we say that we’ve patched systems, we’re referring to the 2.17.0 patch. We’ve also made an adjustment to disable the vulnerable JNDI lookup functionality globally, in case a client ever requires software that cannot or will not be updated with a patch by the official software vendor.
If you have questions about your specific JetRails hosting environment, we welcome you to open a ticket and request any particular information from our support team.