On December 10, 2021, the Apache Foundation reported a critical vulnerability on the Log4j logging library that can provide an attacker with the means to execute arbitrary code on affected systems. MITRE labeled the vulnerability as CVE-2021-44228. Additionally, the Apache Foundation disclosed two other vulnerabilities (CVE-2021-45046 and CVE-2021-45105) that could allow a denial of service attack against an impacted system.
How This Affects Virgo and Our Customers
After conducting a thorough review of our internal infrastructure, we have concluded that — with the exception of an internal metrics tool — Virgo is unaffected by these Log4j vulnerabilities. The Virgo video ingestion services, website, and firmware do not depend on the Log4j library.
As mentioned above, the only system affected by these Log4j vulnerabilities was an internal metrics tool, called Metabase. We run an instance of Metabase hosted in Google Cloud Platform behind a corporate firewall and accessible by a very limited number of employees. This instance has been updated to a newer release with fixes for CVE-2021-44228 and follow-up vulnerabilities CVE-2021-45046 and CVE-2021-45105.
Impact on Third Party Service Providers used by Virgo
Virgo’s infrastructure leverages a number of third party service providers. In addition to reviewing our own codebase to rule out Log4j impact, we have also reviewed the responses from our third party service providers to ensure that there was either no impact to services we use or that any impact has been properly remediated.
After conducting a thorough review of these third party services, we have concluded that there was no impact to third party services used by Virgo. An overview of these services is provided below:
Virgo will continue regular vulnerability scans on our products and monitor any potential exposures to this, or related vulnerabilities. At this time, Virgo customers do not need to take any specific actions related to their use of Virgo products and services.
Further questions may be directed to firstname.lastname@example.org