Thanks for asking, @atcarver . Here's the tl;dr: We are in the process of identifying and patching any log4j issues within our environment. Canvas LMS was not affected.
We will soon post a standalone public response similar to this one:
On December 9th, a Critical Day 0 vulnerability was disclosed by Apache that affects Apache Log4j2 (CVE-2021-44228). As a member of the Instructure family we wanted to update you on what we have done to protect against this vulnerability.
What is the Apache Log 4j2 JNDI Vulnerability?
From the NIST National Vulnerability Database: “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
What has Instructure done to remediate this?
Instructure continues working to patch any Instructure services that use or interface with the vulnerable component Log4j2. We have reviewed all instances of Log4j2 in Instructure products and have implemented mitigations or upgrades to the services on December 10, 2021. We are not aware of any successful exploits of the vulnerability and the underlying patched/mitigated services did not process raw user requests or logs. Log4J2 is not a core component of the Canvas LMS system.
For more information, please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and the Apache Log4j2 (https://logging.apache.org/log4j/2.x/index.html) post.
