» Published on
Due to the widely spread Log4J vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) we checked all MSI Platform Services. The outcome:
MSI Collaboration Tools: We only found the vulnerability in Bitbucket Bitbucket Data Center: Log4J is installed → We rolled out a flag to deactivate it. Bitbucket - elasticsearch/opensearch. → We deployed a patch and fixed it.
MSI Development Tools: We found the vulnerabilities in the following services: Jenkins plugins → All Name Space Owners have to take care, that their plugins are not affected. SonarQube → countermeasures have been taken, so SonarQube is secure.
MSI Logging: We found the vulnerabilities in the following service: Logstash → countermeasures have been taken: Logstash has been updated to fixed version.
Overall: All MSI Platform Services have been updated if they were affected. So apart from the Jenkins plugins no MSI Service ist affected by the Log4J exploit. MSI blog post with details: https://collaboration.msi.audi.com/confluence/x/Iya2H
» UpdatedDear users, all of you might have heard about the Log4J vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 We are working on that right now and check, which of our services might have security gaps from that and close them, if we find any.
To all users working with our Development Tools: Please keep in mind, that we don't maintain the Jenkins plugins in your namespaces. You'll have to check these by yourself.
» Updated