@Sander Bruin -

I’d suggest opening a Miro support request for this question as I believe only someone in Miro’s security team could answer it: Submit a request – Miro Support & Help Center

Kiron

Done
[Request received — #371467] Log4j vulnerability

@Dirk Ahmann - It would be helpful for the rest of the community if you could let us know what the support team tells you.

No response yet, just a ticket number (see above)

Hi all,

Here’s a summary of how Miro is ensuring rapid remediation and mitigation regarding the Java Log4j RCE vulnerability (CVE-2021-44228), to keep customer content and data secure.

Status of Mitigation and Remediations

• No additional actions are required from the customers
• Miro has rolled out the updates to detect and mitigate CVE-2021-44228
• Where immediate removal may be problematic, Miro has implemented mitigation controls with firewall blocking and extended monitoring and alerting
• Attempts at exploitation will be automatically blocked at the Miro firewall level

 
What is Log4j RCE?
A 0-day exploit in the Java core library log4j was discovered that results in Remote Code Execution (RCE). Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. The attack surface is very wide, since it’s almost impossible to find any single Java project without the log4j library enabled. It affects internal services and APIs that are based on Java and uses other API and application data to log them.

@Tibo 

Will updates on this status also be placed here?

@Indy Klooss in case we have updates, we will be posting them on the Miro Trust Center, at https://miro.com/trust/updates/log4j/

@Tibo - ist there any update on this issue? On the Trust Center you are only speaking of 2.0-beta9 to 2.14.1, but 2.15 is not secure also → https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Hi @Philipp Kamke, this is Robert from the Miro support team! Thanks a lot for your question.

I went ahead and checked with our internal trust team on this so that I could provide you with the most accurate and up-to-date information.  

We are aware of this newly released CVE and per the description: 2.15 is incomplete in certain non-default configurations in addressing Log4j. It does not state that is is not secure. We intend to post updates to the site as they become available. 

If you have further questions on your specific account, I would encourage you to create a support ticket so that we can best assist you with this. Thanks, Philipp!