On December 9th, a Critical Day 0 vulnerability was disclosed by Apache that affects Apache Log4j2 (CVE-2021-44228). There were many applications across the Internet that were impacted.  As a member of the Instructure family we want to update you on what we have done to protect against this vulnerability. First, and most importantly, our customers were not exposed and there is no action required on your part.

Most Instructure Learning Platform products are not developed using Java.  For the few Instructure products that do use Java, Log4j2 is not commonly used and those products do not utilize the Log4j2 against raw user requests.  We also reviewed other libraries/projects in our systems which utilize Log4j2 as a dependency.  In all cases we have reviewed the usage to ensure that raw user input was not processed and applied the recommended mitigations.

Q: What is the Apache Log4j2 JNDI Vulnerability?

From the NIST National Vulnerability Database: “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”

Q: What has Instructure done to remediate this?

Instructure has applied appropriate mitigations to affected services and are working to patch any use or interface with the vulnerable component Log4j2. We have reviewed all instances of Log4j2 in Instructure products and have implemented mitigations or upgrades to the services on December 10, 2021. We are not aware of any successful exploits of the vulnerability as the underlying patched/mitigated services did not process raw user requests or logs.

Update Dec 21, 2021: Initial mitigations were put in place that have since been patched to 2.17

Q: Is there anything we need to do as an organization or Canvas user?

We have reviewed all instances of Log4j2 in Instructure products and have implemented mitigations or upgrades to the services on December 10, 2021and December 15, 2021.

For more information, please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and the Apache Log4j2 (https://logging.apache.org/log4j/2.x/index.html) post.