Log4Shell: PKB SaaS offering patches critical security flaw in hours

On Friday, 10th of December, 2021 NIST (https://www.nist.gov/) disclosed information about CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), a security vulnerability in an extremely widely used software library with a severity rating of 10.0 (on a scale that ranges from 0.0 to 10.0). 

What this meant is that tens or hundreds of millions of internet-connected servers and computers became trivially hackable.

PKB staff learned about this flaw just before 6 AM UK time through information security-related channels. In case we had missed this news, our automated code scanning systems would have alerted us very quickly – we were glad to see that our tests suites started to fail in the morning due to the presence of a vulnerable software component. We were relatively certain that the vulnerability cannot be easily exploited in our environment due to restricted network connectivity, however these kind of software bugs still make people nervous so we still treated it as critical.

Around 7:30 AM, the patch that fixed the issue was considered complete and we started to run our extensive automated testing suite, which took 3 hours to complete on the build farm. By this point we had notified subscribers to pkbstatus.com that we would be doing an urgent patch at 11 so they could expect some short downtime, and by 11 AM, our systems were patched.

For any users/customers who are not aware, you can track our status alerts via pkbstatus.com and subscribe to this to be automatically notified of any releases we are doing, or known issues.

Leave a Reply