Grafana Labs core products not impacted by Log4j CVE-2021-44228 and related vulnerabilities

Note: We are receiving questions around CVE-2021-45046. This CVE is a follow-up exploit to CVE-2021-44228. As such, the statements below also apply for CVE-2021-45046.

Like many of our peers, we have spent the last few days responding to the Log4j RCE vulnerability, CVE-2021-44228, and the related CVEs that were discovered following disclosure of 44228.  

We are fortunate in our case that we chose not to use Java as a core part of our stack and have minimal dependencies on services and applications that make use of it.

After a rigorous review of our codebase, we are confident that Grafana OSS, Grafana Cloud, and our Enterprise products are not affected.

A small number of demo, experimental, or playground projects (all non-customer impacting) had vulnerable versions of Log4j running, but these were stopped immediately upon discovery until they can be upgraded or decommissioned.  

How Grafana Loki can help

While no substitute for a full SIEM, searching Grafana Loki for app logs containing patterns such as ${jndi:ldap://* can be a great, low-overhead way to start getting visibility into exploitation attempts. Similarly, jndi in general can help find undocumented services that could be running vulnerable versions. As Log4j often prints its own name at startup, a search for the regular expression (?i)log4j can also be helpful in identifying services using Log4j, which you can then assess for potential vulnerabilities.

If you have specific questions or concerns regarding this vulnerability and your Grafana products or services, please email security@grafana.com.