Fingers on a computer with digital icons all around

Geotab’s CVE-2021-44228 Response

Published on December 15, 2021 in Compliance by Geotab Incident Response Team


The US Cybersecurity and Infrastructure Security Agency (CISA) recommends taking immediate action on the Log4j vulnerability.

On Thursday, December 9, 2021, a proof-of-concept exploit code was released for a remote code execution vulnerability in Apache Log4j, a Java library, for CVE-2021-44228. Log4j is used within the Java platform as a logging library and in a large number of internet applications. The United States CISA recommends that organizations take immediate action

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Update for January 4, 2022:

We are closely monitoring the ongoing evolution of the Log4j issue. We are aware of the new CVE-2021-44832 vulnerability and we are currently updating to Log4j 2.17.1 where required. We will continue to update to any newer versions as they are released and deemed necessary.

 

Update for December 20, 2021: 

We are closely monitoring the ongoing evolution of the Log4j issue. We are currently updating to Log4j 2.17 where required. We will continue to update to any newer versions as they are released and deemed necessary.

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Frequently asked questions

1. Are MyGeotab, MyAdmin, or GO Device Firmware affected?

No, MyGeotab, MyAdmin and GO Device Firmware do not use Log4j and are not affected by this vulnerability. 

2. Is other Geotab software affected?

Except as described below, no other Geotab proprietary software was found to be vulnerable. All internally accessible servers have been evaluated and mitigations have been implemented for protection.

 

However, the product Fleet Center from BSM Technologies Inc. (previously acquired by Geotab), was identified to be using the vulnerable package and publicly accessible to the internet. For these hosts, the suggested software mitigations from Apache and the United States CISA were quickly applied. In light of the most recently available information, additional patching to Log4j 2.16 is ongoing.

 

Geotab’s Incident Response Team utilized both network and host based intrusion prevention systems to ensure a layered defense to block exploitation attempts. Additionally, there are ongoing reviews for indicators of compromise.

3. Is the Geotab Software Development Kit (SDK) affected?

Geotab offers SDK packages for customers using different programming languages. One of these is based in Java. The previous version of the Java-based SDK was vulnerable, as it was utilizing Log4j 2.13. If a customer is utilizing the Geotab Java SDK, we urge you to upgrade to the latest version immediately.

 

Note: The Java SDK is run client-side, therefore users running the code would be vulnerable, not Geotab. Typically, this is done on hosts that are not publicly accessible with the application open to the internet, so the risk of this being exploited is most likely low. However, it is still best practice to update.

4. Are Geotab’s vendors affected?

Geotab is actively working with our third-party partners, suppliers and vendors to determine if any are impacted by this vulnerability. If anything is found to have affected Geotab or our customers, we will communicate accordingly.

5. Overview of Impact on Geotab

Geotab’s flagship products were not impacted by the vulnerability. Log4j is not commonly used within the organization. Geotab has not found any successful exploitation attempts to our infrastructure. Any host that was found to be running a vulnerable version and was publicly accessible had the mitigations applied quickly and other security layers were monitored closely. Any internal hosts found to be running a vulnerable version were not accessible publicly and could not be exploited; however, they were still reviewed and promptly patched. All patched hosts are now being upgraded to the latest version of Apache Log4j 2.16, in light of the most recently available information.

 

For any questions or concerns that are not covered in this FAQ, please reach out to us at security@geotab.com.

 

Learn more about Geotab’s security and privacy policies at the Geotab Security Center


If you liked this post, let us know!


Disclaimer

Geotab's blog posts are intended to provide information and encourage discussion on topics of interest to the telematics community at large. Geotab is not providing technical, professional or legal advice through these blog posts. While every effort has been made to ensure the information in this blog post is timely and accurate, errors and omissions may occur, and the information presented here may become out-of-date with the passage of time.

Subscribe to the Geotab Blog

Sign up for monthly news and tips from our award-winning fleet management blog. You can unsubscribe at any time.

Republish this article for free