Rhombus Response to Log4j Zero Day Vulnerability
December 13, 2021
On December 9th 2021, the Apache Log4j project disclosed a zero day vulnerability that affects Log4j. This vulnerability is also known as Log4Shell.
If this vulnerability exists in a service and is exploited by hackers, it could allow hackers to execute code on the affected servers and essentially gain remote operation of them.
Upon learning of this exploit, Rhombus took immediate action to see if any of its services used Log4j. Our analysis over the last few days found the following:
What was not affected
Rhombus Systems services do not use Log4j for logging. Our analysis confirms that:
- No mobile applications use Log4j
- No code running on Rhombus cameras or sensors uses Log4j
This means that the following products and components were NOT affected:
- Rhombus Cloud Servers
- Rhombus Web Console
- Rhombus iOS Mobile App
- Rhombus Android Mobile App
- Rhombus Apple TV App
- Rhombus Smart Cameras
- Rhombus IoT Sensors
What was affected
One AWS Service (OpenSearch) used by Rhombus was running the vulnerable version of Log4j.
- Rhombus is waiting for AWS to release the patch so we can apply to our production instances.
- Currently, this has no active impact to Rhombus customers. It’s undetermined if a vulnerability exists, only that the vulnerable version is present.
One third-party party software (Flink) uses Log4j, but not the affected version.
- Out of an abundance of caution, we are applying the patch (-Dlog4j2.formatMsgNoLookups=true) to ensure no remote JNDI lookups will occur, even if the affected version were there.
Is any action required from Rhombus users?
No. Rhombus users can continue to use the Rhombus platform as usual. All patches will be automatically applied to all Rhombus devices remotely.
The Rhombus Security team will continue to evaluate our services and our vendors for any potential exposure to this vulnerability. We’ll provide any updates directly to this blog post if we discover any other risks.