On December 10th, 2021, Acquia was made aware of a security vulnerability in the Apache log4j logging utility.
Acquia immediately investigated and determined that Acquia Search with Solr 7 was the only customer accessible Acquia product impacted by the log4j vulnerability, CVE-2021-44228.
Due to the nature of this security vulnerability, Acquia chose to deactivate all possibly susceptible search services while investigation and remediation took place in order to protect all Acquia customers and their data. Testing by Acquia security personnel found that in many cases Drupal and/or its associated modules prevented exploitation. Acquia ensured that the vulnerability was mitigated fully before reactivating the affected search services.
As of Dec 10, 2021, Acquia applied the fix to all systems that were known to be vulnerable. This was communicated on our Status Page on https://status.acquia.com/.
All systems, regardless of potential for access, have had mitigating actions taken which remediate this vulnerability.
No Acquia hosting platform (Acquia Cloud Enterprise, Acquia Cloud Site Factory, and Acquia Cloud Professional) makes use of Java and thus does not directly make any use of log4j.
As a standard practice, Acquia recommends that customers design their applications and all associated forms that accept input from users to evaluate and sanitize all input. Acquia evaluates and implements mitigations to known vulnerabilities according to our security policies and reminds all customers that security is a shared responsibility between the platform and applications.
Update: On Dec 14th CVE-2021-45046 was published. This vulnerability is rated as Low risk, and will be subject to Acquia's standard patching procedure (see link to policies above).
Update: As of Dec 15th the situation around log4j is changing rapidly. The actual risks are unclear at the moment, but we aim to deploy further updates as soon as possible without causing significant disruption to customer applications. We are continuing to monitor the situation closely.
Update: In order to ensure the continued security of the platform, Acquia deployed the latest version of log4j (2.16.0) to Search Solr7. We were able to do so with minimal disruption to customer applications. This release was complete by 14:00 UTC on Dec 16th 2021.
Update: Acquia are aware that log4j 2.17.0 and then 2.17.1 have been released to address additional vulnerabilities. Having assessed the details, we plan to follow our standard patching procedure and will not be doing an emergency update. We continue to monitor the situation closely.