Geotab’s CVE-2021-44228 Response

On Thursday, December 9, 2021, a proof-of-concept exploit code was released for a remote code execution vulnerability in Apache Log4j, a Java library, for CVE-2021-44228. Log4j is used within the Java platform as a logging library and in a large number of internet applications. The United States CISA recommends that organizations take immediate action. 

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Update for January 4, 2022:

We are closely monitoring the ongoing evolution of the Log4j issue. We are aware of the new CVE-2021-44832 vulnerability and we are currently updating to Log4j 2.17.1 where required. We will continue to update to any newer versions as they are released and deemed necessary.

Update for December 20, 2021: 

We are closely monitoring the ongoing evolution of the Log4j issue. We are currently updating to Log4j 2.17 where required. We will continue to update to any newer versions as they are released and deemed necessary.

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Frequently asked questions

1. Are MyGeotab, MyAdmin, or GO Device Firmware affected?

No, MyGeotab, MyAdmin and GO Device Firmware do not use Log4j and are not affected by this vulnerability. 

2. Is other Geotab software affected?

Except as described below, no other Geotab proprietary software was found to be vulnerable. All internally accessible servers have been evaluated and mitigations have been implemented for protection.

However, the product Fleet Center from BSM Technologies Inc. (previously acquired by Geotab), was identified to be using the vulnerable package and publicly accessible to the internet. For these hosts, the suggested software mitigations from Apache and the United States CISA were quickly applied. In light of the most recently available information, additional patching to Log4j 2.16 is ongoing.

Geotab’s Incident Response Team utilized both network and host based intrusion prevention systems to ensure a layered defense to block exploitation attempts. Additionally, there are ongoing reviews for indicators of compromise.

3. Is the Geotab Software Development Kit (SDK) affected?

Geotab offers SDK packages for customers using different programming languages. One of these is based in Java. The previous version of the Java-based SDK was vulnerable, as it was utilizing Log4j 2.13. If a customer is utilizing the Geotab Java SDK, we urge you to upgrade to the latest version immediately.

Note: The Java SDK is run client-side, therefore users running the code would be vulnerable, not Geotab. Typically, this is done on hosts that are not publicly accessible with the application open to the internet, so the risk of this being exploited is most likely low. However, it is still best practice to update.

4. Are Geotab’s vendors affected?

Geotab is actively working with our third-party partners, suppliers and vendors to determine if any are impacted by this vulnerability. If anything is found to have affected Geotab or our customers, we will communicate accordingly.

5. Overview of Impact on Geotab

Geotab’s flagship products were not impacted by the vulnerability. Log4j is not commonly used within the organization. Geotab has not found any successful exploitation attempts to our infrastructure. Any host that was found to be running a vulnerable version and was publicly accessible had the mitigations applied quickly and other security layers were monitored closely. Any internal hosts found to be running a vulnerable version were not accessible publicly and could not be exploited; however, they were still reviewed and promptly patched. All patched hosts are now being upgraded to the latest version of Apache Log4j 2.16, in light of the most recently available information.

For any questions or concerns that are not covered in this FAQ, please reach out to us at security@geotab.com.

Learn more about Geotab’s security and privacy policies at the Geotab Security Center.