Security Notice - Apache Log4J Vulnerability

Security Notice - Apache Log4j Vulnerability

Last Update: December 15, 2021, 9:50 PM PST

To Sendbird customers,

The world is in panic by the news of a vulnerability in Apache Log4j announced last week.
Sendbird clearly recognizes that the security of our customers should be our top priority. Transparency is also important to address this issue, so we are disclosing all possible information to our customers. No customer action is required by far. However, our investigation continues and we will provide more updates of any new findings if there.

A vulnerability has been discovered that could allow data leaks and unexpected penetration in a software component using Java-based open-source library, Log4j. It means, if the service is not using that library, the vulnerability does not affect the service. Sendbird’s core tech components are not written in Java, so fundamentally, we are not impacted by the vulnerability directly. We also had to investigate a number of 3rd party softwares with our products, including both non-managed services and managed services from cloud infrastructure providers.

The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. As soon as Sendbird got the notice, we immediately evaluated all service systems to figure out what systems and libraries could have affected the vulnerability. The inspections for our product had been done by Dec 10, 2021 (PST). Also, we started cooperating with the AWS security team to analyze the impact on their managed service that works with our core products.

For non-managed 3rd party software we use, we already removed all the possible vulnerabilities by adding appropriate JVM options and upgrading the Log4j version since we have the full control of those tools on our side.

For AWS managed services, there are few AWS managed services that include affected Log4j versions internally. We ran our own security scan and this has not revealed any exploitable RCEs so far since our system doesn’t take advantage of Log4j components of those in our current configuration.

As a normal practice, we will update every AWS component with the latest version of Log4j as we work with the AWS security team together. Here’s a list of AWS components that we try to update as soon as possible.

Sendbird Chat Message Search / Desk Ticket Search

We’ve confirmed that AWS OpenSearch Service, which is utilized for Sendbird message search, is in the scope of log4j vulnerability. The entire OpenSearch instances we use have been fully patched to use the unaffected version of Log4j by the AWS team as of Dec 15, 2021. Even before the patch, we verified that there was no real risk of having the exploit to run in the system by running our own security scan.

Sendbird Chat Data Export

AWS EMR Service, which is utilized for Sendbird Chat Data Export, is in the scope of log4j vulnerability. The entire EMR instances we use have been fully patched to use the unaffected version of Log4j by the AWS team as of Dec 15. Even before the patch, we verified that there was no real risk of having the exploit to run in the system by running our own security scan.

Log4j Vulnerability Scanner False Alarm

Some Log4j vulnerability scanner alerts when Sendbird Chat messages include the specific URL patterns related to the vulnerability. As a result of the investigation, it turned out to be a false alarm. The cause was when the Sendbird Chat server finds a URL in the chat message, it performs an OG tag operation to preview the website. This (processing) scenario is intended for the Sendbird Chat server and completely under control. This is the reason for the notification from some vulnerability scanners, and it is not related to the log4j vulnerability since the injected URL content is downloaded by a non-Java system. To prevent false alarms reported from some customers, we are releasing a hotfix to ignore certain URL patterns in our OG tag parsing.

We’ll continue to update this post when we have new information or if any additional action is required.