On Friday, December 10, 2021, an alert was issued about a vulnerability in Apache’s Log4j2 software by the United States Cybersecurity and Infrastructure Security Agency. Apache Log4j2 is a java software library used by many companies for logging application information. Log4j2 is often embedded in custom software or bundled with software applications. The security vulnerability exists in versions 2.0 through 2.14 of Log4j2.
Our customers’ security is a top priority, and we took immediate action to investigate any potential threats that our customers may be exposed to through Panzura products and solutions.
Panzura Data Services (PDS) contains some services that include Log4j2 as a component for logging. All Log4j2 components were immediately disabled upon receiving the alert to ensure no Panzura customer environment was exposed to this vulnerability. Since Data Services is a SaaS offering, no further action is required by any Panzura customer.
The following Panzura products do not contain Apache Log4j2, and are not affected by the CVE-2021-44228 vulnerability:
- Panzura CloudFS
- Panzura Cloud Block Store
- Panzura Mobile
Additional Measures Taken
Over the weekend, Panzura performed additional targeted vulnerability scans to detect the existence of this vulnerability elsewhere in our networks. No instances of the vulnerability were found. We will continue to actively monitor this security threat and notify of any changes.