Many of our clients ask whether Hostinger is vulnerable to the new Java-based Apache Log4j library vulnerability that has been all over the news recently. This vulnerability allows an attacker to execute code on a remote server.
We can confirm that Hostinger’s web hosting servers do not support services that depend on Log4j, nor are they installed, making you and your data safe and unaffected by this Log4j vulnerability.
Our API and UI systems do not run on Java, except for our internally used Elasticsearch instance which has been patched. Thus, even though we have noticed an influx of traffic hitting our APIs with ‘jndi’, ‘ldap’, and numerous variations of keywords trying to trigger the Log4j exploit, – they are harmless to our systems, and do not have any impact on customers’ data.
What is the Log4j vulnerability issue? How was Log4j found?
Log4j is a portion of code helping software applications keep track of their past activities. Each time developers build new software, they can apply this existing code element, which is free on the Internet and commonly used.
In recent weeks, the cybersecurity community discovered that requesting the program to log a malicious code, such a process would lead attackers to take control of servers running Log4j.
The origins of reporting this vulnerability still differ – some believe it was first noticed in a Minecraft-related forum, while others mark Chinese tech company Alibaba’s security researchers. Either way, experts name it the most severe software vulnerability in the matter of numerous devices, sites and services exposed.
Do I need to do anything about the Log4j vulnerability?
We would like to inform our VPS customers, running their Java services on VPS servers, to please update Log4j to at least the 2.16.1 version. Otherwise, update the relevant software, including Log4j as a bundle, and restart your services.
Specifically for VPS Minecraft users, the game will automatically be updated when you open the MC launcher. So please do not skip or try to stop the update. You will be safe once the game is newly-launched. For more information, go over this article on the security vulnerability in Java edition.
We recommend at least the 1.18.1 version for your MC clients and when running your server.
How can I further protect myself from malicious traffic from the Log4j vulnerability?
Even though your website hosting accounts on Hostinger’s servers are safe, massive scans are running on full Internet IP ranges. They scan all websites across the world just to find vulnerable hosts. This traffic is obtrusive, and it may cause your website account to use more resources than needed and might even slow it down.
We recommend enabling Cloudflare on your websites. Since Cloudflare has enabled specific WAF rules by default (on Free tier), all the malicious traffic from Log4j vulnerability scanners will be dropped.
We also recommend following the relevant news for a few weeks to ensure that a re-patch is not needed again. We already had new vulnerabilities patched for Log4j (CVE-2021-45046) after the initial bug (CVE-2021-44228) was found. As there is so much global focus on this Log4j library now, new ways to exploit it are being continuously located.
We can reminisce and learn from serious vulnerabilities such as Shellshock (Bash vulnerability) and Heartbleed (TLS vulnerability) which happened a few years ago when several re-patches were needed to secure the systems fully.
How can we all contribute? The Apache Software Foundation
We, Hostinger, are an open company, mainly built on an open-source software. Times like these remind us that an open-source software is created by enthusiasts who basically get nothing out of it themselves.
As this vulnerability hit the world during the weekend, maintainers gathered and worked during days and nights to fix the issues that affect the world. Therefore, they deserve so much respect and appreciation for their work and efforts.
Let’s use this as an opportunity to support communities and foundations. So, hit that sponsor button more, and send some good karma. From Hostinger’s side, we have contributed by donating to the Apache Software Foundation.
Additionally, if you are a developer who needs hosting for a project or you are struggling with getting it online, let us know at email@example.com. All of us at Hostinger are ready to help.
Stay safe everyone,
CTO @ Hostinger
ASF Donation page: https://www.apache.org/foundation/contributing.html
Validate the affected software here: https://github.com/cisagov/log4j-affected-db