Assessment
Late last week, we became aware of a critical vulnerability in a logging library commonly used by Java-based software, Log4j. This vulnerability, dubbed Log4Shell or CVE-2021-44228, allows attackers to remotely execute code on systems utilizing a vulnerable version of the Log4j library. The impact of the flaw is so severe it has been given the highest severity score (10.0) by the US National Vulnerability Database. This is even higher than the notorious Heartbleed bug of 2014 that impacted services worldwide.
Radio Mast does not use Java in any externally facing services and is not vulnerable to CVE-2021-44228. Although some of our internal systems do use Java, we have carefully verified that none of the software in our supply chain is vulnerable, and none of these systems handle customer data. Since the time of initial vulnerability disclosure, we have performed two software supply chain audits across our fleet of servers to be certain of these results, since the potential impact is so high.
Futhermore, as creators of streaming server software and a streaming audio encoder, we can confirm that none of our products are vulnerable, as they do not use Java.
Why this is worse than Heartbleed
The danger of the Heartbleed vulnerability of 2014 was that it could be exploited to break the encryption of HTTPS or other TLS-secured connections for the majority of webservers across the globe. The severity was critical, not only for the immediate privacy concerns, but also for the consequences of leaking passwords and other secrets, allowing threat actors to gain unauthorized access to systems.
The Log4Shell vulnerability is more severe on the surface because it allows threat actors to directly run commands or code on a vulnerable system and Log4j happens to be very popular in the Java ecosystem - but it gets even worse. Since it can be exploited simply by tricking an application into logging some nefarious text, this means can effectively poison data, which is then processed by other software.
For example, an attacker could cause a secure webserver to write a poisoned line of text to a website visitor log, which is then later processed by a vulnerable log processing application or data pipeline. This scenario is entirely plausible because log processing is a common part of many systems architectures and has a wide variety of applications. (Even our very own Radio Mast Analytics utilizes a log processing architecture, though without Java.)
Not only do organizations need to secure their internet-facing services, but extra effort must be made to to urgently secure internal services against Log4Shell to avoid compromise by poisoned data. This vulnerability could give attackers a way to get deep into enterprise networks, which makes the potential for widespread compromise much worse than Heartbleed.
Security and Next Steps
We are closely watching the Log4j situation to respond rapidly in case related vulnerabilities are discovered. In the meantime, our engineering and security teams will continue to work around the clock to provide best-in-class security for your live audio streams. As part of our regular security processes, we continuously monitor our systems for unauthorized activity and follow best practices including frequently applying security patches. The enhanced security and reliability of Radio Mast are key advantages of our fully managed streaming audio delivery, allowing broadcasters to focus on creating great radio programming and worry less about online streaming infrastructure.
If you have any questions or concerns, please feel free to get in touch.