Blog

Previous

Press Articles about RCE “file Upload” Vulnerability CVE-2020-11476 Friendly Reminder to Update to Version 8.5.4 for Security and Bug Fixes

Next

Concrete Hosting and Log4j Shell Additional Fixes CVE-2021-45046

Concrete & Log4j Zero Day Exploit

Dec 11, 2021 by ConcreteCMS

Update Dec 28, 2021. We are aware of CVE-2021-44832 and are continuing to patch any systems that include log4j updated as patches become available

Update Dec 20, 2021:  We are keeping any systems that include log4j updated as patches become available for additional CVEs related to Log4j. This blog relates to the original Apache Log4j CVE-2021-44228. We posted a blog about follow on vulnerability CVE 2021-45046.  We are aware of CVE-2021-45105 and have applied all available mitigations and updates. We are remaining vigilant.

On December 9, 2021 a serious vulnerability in the Java-based logging package Log4j was publicly disclosed. In broad strokes, this vulnerability (CVE-2021-44228) allows an attacker to execute code on a remote server, it’s a pretty big deal.

The Concrete Content Management System (CMS) itself does not include Log4j itself, but your hosting environment may very well use it. 

PortlandLabs has been working diligently to ensure that its own hosting customers are not affected by the zero-day exploit. Attackers are actively using the Log4j vulnerability to attempt remote code execution (RCE).

PortlandLabs has 24/7 monitoring and alerting in place to guard Concrete Hosting customers. Incoming traffic to customer sites are protected according to AWS best practices. AWS recommendations to remediate and mitigate for this vulnerability have been followed. 

Web Application Firewall (WAF rules) have been updated and will continue to be updated as new information is provided about the exploit. 

Configuration settings for various services have been updated as recommended to protect against this exploit. 

PortlandLabs has either upgraded any use of Log4j to the non-affected version 2.15.0 or has used alternative mitigation when upgrading was not possible. Production logs have been analyzed to ensure that no customers have been affected. 

PortlandLabs will remain diligent and will continue to remediate the Concrete Hosting environment as more information about the Log4j exploit becomes available. 

If you’re wondering if your website is secure, you should ask your hosting provider what they’re doing about this exploit. If you’d rather not wonder, here's another reason you should simply host with us