Update on the Log4j library vulnerability

A critical vulnerability has been discovered in the logging framework, Log4j. This framework is used in the BackupVault client – but here’s the important bit:

BackupVault is not affected by the Log4j vulnerability.

This exploit, which is vulnerable to cyber-attack, relies on a method not used by the BackupVault ESE client. This means you can rest assured that the backup client is completely safe to use and cannot be attacked using this technique.

While our server-side platform previously used the affected framework version, this has been patched and the issue is mitigated.

Let’s look at some key details.

BackupVault server-side Log4j

Background

The critical vulnerability has been found in the Log4j Java library. This bit is quite technical, so we won’t go deep into the details here. If you are so inclined, you can read up on the details.

Mitigation

The Log4Shell vulnerability only applies to Log4j v2 and above. In our case, this only affected an internal part of BackupVault’s backend Data Management Platform not publicly exposed to the Internet.

Crucially, this has been mitigated by upgrading to log4j v2.1.5.

Log4j is also used on the ESE agent, but this utilises a version that is not affected by Log4Shell.

BackupVault ESE Client Log4j

Background

Log4j version 1.2.17 is used as a dependency in the ESE Agent. This version of Log4j features a known vulnerability – for more detail, you can delve into the specifics.

Mitigation

Whilst CVE exists in the included library, it is of low risk to the BackupVault ESE agent – a server socket is required to make use of the exploit, and the library is included for use by another package only. The server socket is neither created nor used, meaning that the exploit itself cannot be used.

——————————————————————–

Your data is our priority, and events like this remind us all of the importance of a solid disaster recovery solution. Be assured that we are not affected by this, meaning – at least regarding your use of BackupVault software – neither are you.

If you have any questions or concerns, please reach out to our support staff at support@backupvault.co.uk.