menu

Feed available - Subscribe to our feed to stay up to date on upcoming maintenance and incidents.

CVE-2021-44228 Discovered

Incident window: December 10, 2021
The cloud operations and security team have thoroughly investigated the reported Log4j vulnerability (CVE-2021-44228) and found no current vulnerability to the services hosted on the Kony Cloud due to the newer versions of JVMs currently in use.
There is an additional attack vector reported against the log4j vulnerability and the Cloud team is looking to see if this applies to Kony Cloud. This variation proports to work around the JVM protections.
Customers that have uploaded vunerable versions of log4j2 and deployed these JARs as part of their applications should immediately remove the log4j2 Jars (log4j-core, log4j-api, etc), deletete the jars from their applications and from the workspace, and republish the affected applications. Kony Quantium loads log4j2 jars into the classpath, and we will patching the product jars. Having a dupicate JARs in the app will circumvent any remediation that the Cloud team provides.

Impacted Cloud services:

Impact Level : high

There is no impact to customer’s runtime environment at this time. As always, we would encourage customers to use caution when uploading custom Java code to their environments.

[2021-12-13 11:54 UTC] There is an additional attack vector reported against the log4j vulnerability and the teams are looking to see if this applies to Kony Cloud.

[2021-12-13 11:54 UTC] The is a risk from the latest log4j attack vector and we are patching the affected products and will be updating clusters in the coming hours.

[2021-12-14 09:15 UTC] All Identity services on Kony Cloud have been patched for CVE-2021-44228. We will be patching additional products as quickly as we can.

[2021-12-18 05:04 UTC] All multi-tenant services on Kony Cloud have been patched for CVE-2021-44228. This includes the Kony Cloud management console, Engagement, Developer Portal, and the Multi-Tenant Integration services.

[2021-12-21 19:10 UTC] The latest monitoring agent is being updated on all multi-tenant services on Kony Cloud as the agent was vunerable to CVE-2021-44228. This update will also being included in any updates to dedicated customer environments. We will be patching dedicated customer environmemnts as quickly as we can.

[2021-12-23 07:10 UTC] We have begun updating the Fabric and Sync servers, as well as the monitoring agents on these systems. We will be patching dedicated customer environmemnts as quickly as we can over the next few days. While there are some environments that have passed the End-of-Life dates, we will make every effort to patch those systems as well. We hope to complet the updates over the next 72 hours.

[2021-12-24 02:00 UTC] We have completed updates to all Sync 8.x environments and partial updates to Fabric environments. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-24 14:05 UTC] We have completed updates to all Fabric 9.3.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-24 19:25 UTC] We have completed updates to all Fabric 9.2.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-25 01:55 UTC] We have completed updates to all Fabric 9.1.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-25 04:52 UTC] We have completed updates to all Fabric 9.0.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-26 05:52 UTC] We have completed updates to all Fabric 8.0.x, 8.1.x, 8.2.x, and 8.3.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. Please open a ticket if there are any issues noticed with the log4j2 updates. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-26 22:26 UTC] We have completed updates to all Fabric 8.4.x environments and partial updates to other Fabric versions. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. Please open a ticket if there are any issues noticed with the log4j2 updates. We are contiuing to roll out updates for all supported releases, and will patch EOL versions on a best effort basis.

[2021-12-29 18:19 UTC] We have completed updates to all Sync 7.x environments. All Sync environments on Kony Cloud have been patched for CVE-2021-44228. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. Please open a ticket if there are any issues noticed with the log4j2 updates. We continue to patch EOL versions on a best effort basis.

[2021-12-30 02:40 UTC] We have completed updates to all Fabric 7.x environments. All Fabic environments on Kony Cloud have been patched for CVE-2021-44228. A more recent HotFix may have been applied as part of these updates, and customers should verify functionality of the applications. Please open a ticket if there are any issues noticed with the log4j2 updates.

[2021-12-30 02:45 UTC] We are working on a plan to assist customers who have built and deployed custom WAR files, or who have uploaded a version of log4j-core-*.jar that is compromised. Customers using the ZIP format for deployments will not need any additional patches if they have not deployed a custom version of log4j2 JARs.

[2022-01-07 02:56 UTC] We have patched all of the internal files used for customers deploying WAR files from Visualizer Enterprise or Kony Studio. Customers that have published WARs will need to re-publish the WAR in order to pick up the patched log4j2 JARs. Customers using the ZIP format for deployments will not need any additional patches if they have not deployed a custom version of log4j2 JARs.

[2022-01-07 20:37 UTC] We have reviewed workspaces for customer uploads of the affected log4j JARs and will be opening tickets for each customer to a) remove the JAR and use the JARs already in CLASSPATH on the Fabric servers, b) Upload a patched log4j JAR and deploy the uploaded JAR, or c) Upload and use 2.17+ of log4j in their custom code. We recommend option ‘a’ where possible.

Subscribe to the RSS feed on this page for the latest updates.