A major remote code execution (RCE) vulnerability has been identified in the java logging service "Log4j", with public proof-of-concept code being posted. Exploits are circulating around the internet in large numbers.
Planet is closely following CVE-2021-44228 and CVE-2021-45046. Planet’s customer systems do not utilize Java or Log4j other than in relation to non-Internet facing support systems, such as commonly used Java-based search, issue tracking and collaboration, and continuous integration systems. For these support systems, Planet’s security team responded to CVE-2021-44228 on December 9, 2021 by ensuring that Internet facing systems do not utilize Log4j and either disabling message lookups in running JVMs or updating to Log4j 2.15, and now 2.16. Planet utilizes network segmentation to limit access to customer and spacecraft systems internally only to those endpoints and employees with a business need to access them. In this way, Planet’s threat surface is reduced.
In addition to internal assessments and mitigations, Planet has been tracking vendor announcements for products and components impacted by Log4j, including https://github.com/cisagov/log4j-affected-db, and does not utilize the affected products or services.
The nature of the vulnerability in Log4j coupled with its extensive use in Java-based products means that the response to this incident will be long term and continuous, but Planet has no reason to believe that it is presently vulnerable or impacted by CVE-2021-44228 and CVE-2021-45046.