On Thursday, December 9, 2021, a vulnerability in the Java logging library Log4j was disclosed and assigned the CVE ID CVE-2021-44228, also nicknamed Log4Shell. The Cybersecurity and Infrastructure Agency (CISA) also released an alert on the 10th of December.
This is an incredibly serious vulnerability that has had security teams in every industry on high alert, working around-the-clock to ensure that their systems are secure. At a high level, Log4J allows Remote Code Execution (RCE) on an affected server, granting an attacker full control. A detailed explanation was published by LunaSec.
Security is our top priority at Auth0 and we recognize the critical role our platform plays for our customers. Since the vulnerability came to light, Auth0 teams across Engineering, Product, Customer Success, and Security, led by our Detection and Response team have been all hands on deck to evaluate any potential impact on our platform. This is one of the most dangerous vulnerabilities that our industry has seen and we have treated it with that level of seriousness. It also has the potential to be very widespread and takes time to methodically review code and systems. We started with our most critical assets and worked outwards, gaining more assurance as we progressed.
As we stated in our tweet last weekend, we did not see direct impact then, nor do we now, after continuous assessment and monitoring. We can confirm that there were no signs of exploitation, and the Log4j library is not used in our core service code base.
Auth0 does use a very small number of third-party components that were vulnerable to Log4Shell. We have been working closely with our partners throughout the incident response process, firstly to apply patches as soon as they are released, and secondly to identify if they could have been used as a potential path to compromise our service. Again, our review has not shown any signs of abuse from the vulnerability.
The speed of response from our teams and our existing security architecture was essential here. Using our existing security tooling, we were able to scan our entire code base and containers for the affected library and quickly get assurance that we were not affected. We also deployed WAF rules on our edge for an extra layer of protection and then focused our efforts on assuring our supply chain. Finally our Red Team has been trying to actively use the vulnerability against the Auth0 platform, further increasing our levels of assurance through offensive testing.
This vulnerability is very serious. We recommend that all of our customers continue to closely review and monitor their own systems and third-party components for the vulnerability and any signs of compromise. And critically make sure you are running the latest versions of any impacted software (please see Okta’s blog for details of the impact to the Okta products).
Subsequently other vulnerabilities have been reported in Log4j (CVE-2021-45046 and CVE-2021-45105) and we expect there to be more as the library gets further attention from security researchers. We will continue to closely monitor and investigate the situation, and provide prompt notification if the situation changes.