Log4J Issue (CVE-2021-44228)
Incident Report for Qubole
Resolved
Qubole’s investigation of the CVE-2021-44228 vulnerability in the Apache Log4j library continues to advance, with focus on identifying any exposed instance of a vulnerable Apache Log4j library as per Apache’s public updates. Qubole consists of two parts: (1) the Control Plane, which resides on Qubole-controlled hardware and (2) the Data Plane, which resides on Customer-controlled hardware. The investigation is guided by this structure.

Within the Control Plane (on Qubole-controlled hardware), our investigation confirmed there are no exposed instances of the Apache Log4j library within the version range that contains this vulnerability. Therefore, the investigation confidently concludes the Control Plane is not impacted by the Apache Log4j vulnerability.

For the Data Plane (on Customer-controlled hardware), we understand Qubole customers will want to take immediate action to protect the environments they control. This immediate action can be achieved by following the mitigation instructions as published by Apache on the Apache website (https://logging.apache.org/log4j/2.x/security.html).

Although our initial and thorough investigation has concluded, and Qubole continues to monitor for potential breaches, we will continue actively to monitor this situation and communicate with stakeholders as appropriate.
Posted Dec 16, 2021 - 06:39 PST
Investigating
This incident will be used to track information about the Log4J Issue and its impact on the Qubole infrastructure. Below is the current message from the Idera Security and Compliance Team:

Customer Update to Log4J Issue (CVE-2021-44228)

This is an update of Idera's internal review of the Log4J Issue (CVE-2021-44228). At this time we are still reviewing the following products and we expect to complete this by the end of day today.

Qubole - Still under review.

XBlend / XRay On Prem - Still under review. (SaaS version complete with no issues)

All other Idera family of products have been reviewed and confirmed to have no issues with Log4J Issue (CVE-2021-44228) at this time. If you have any questions or concerns please contact us.

Idera Security and Compliance Team.
Posted Dec 14, 2021 - 12:39 PST
This incident affected: us.qubole.com Environment (AWS) (Site Availability), wellness.qubole.com Environment (AWS) (Site Availability), in.qubole.com Environment (AWS) (Site Availability), eu-central-1.qubole.com Environment (AWS) (Site Availability), oraclecloud.qubole.com Environment (Oracle) (Site Availability), gcp.qubole.com Environment (GCP) (Site Availability), gcp-eu.qubole.com Environment (GCP) - BETA (Site Availability), and Site Availability, Site Availability.