Update Regarding Apache Log4j2 Issue (CVE-2021-44228)
Incident Report for Kaltura
Update
Kaltura Blackboard Building Block Update - We have completed the upgrade of the Log4j in the Kaltura building block to version 2.17 and the new B2 version v5.4.12 has been released on Wednesday, December 22nd.

Release Note: https://knowledge.kaltura.com/help/blackboard-learn-release-notes#blackboard-learn-december2021-release-notes-v5412
(contains link to download file)
Posted Dec 22, 2021 - 19:30 UTC
Update
Kaltura Blackboard Building Block Update - Following recent updates on further Log4j issues, we have decided to upgrade the plugin to version 2.17, and are now performing final QA stages. The new version is expected to be released on Wednesday, December 22nd.

The next update will be posted with additional information once the updated Blackboard Building Block version is available.
Posted Dec 21, 2021 - 10:59 UTC
Update
In continuation to the recent updates on CVE-2021-44228 (Critical) vulnerability, Kaltura is aware of the ongoing updates on CVE-2021-45046 (Medium).

Kaltura has completed execution of the mitigation plan addressing CVE-2021-44228 for all internet facing and non-internet facings components.

After performing risk assessment for the new CVE-2021-45046 vulnerability, Kaltura considers the risk as low-medium.

Kaltura has taken additional mitigation steps accordingly to address this issue by upgrading to version 2.16 or removing the JNDI classpath.

Kaltura will ensure all internet-facing components are upgraded to version 2.16 on Sunday, December 19th, 2021.

In addition, we have updated the Kaltura Blackboard Building Block Log4j version to 2.16 and are now performing final QA stages. We strongly encourage customers using it in their own environments to contact their Customer Success Manager or Project Manager and prepare for upgrade. The new version is expected to be released on Monday, December 20th.

The next update will be posted with additional information once the Blackboard Building Block version is available.
Posted Dec 16, 2021 - 20:40 UTC
Monitoring
Kaltura is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue and are working on addressing it for any Kaltura service that uses Log4j2.
All Kaltura services that are internet-facing have been updated, and we are now working on a mitigation plan for non-internet-facing services that pose no immediate risk.
We strongly encourage customers that utilize Kaltura’s Java API Client Library in their own environments to upgrade to the latest version available on Maven: https://repo1.maven.org/maven2/com/kaltura/kalturaApiClient/17.16.0/
For additional details or assistance, please contact Kaltura Customer Care.

Additional service-specific information is below:

Kaltura.com Hosted Services:
Internet-facing Kaltura.com hosted services (Kaltura Media Services, MediaSpace, Virtual Events, Kaltura Application Framework, Kaltura Capture, Webcasting, Pitch, Kaltura Management Console) do not include Log4j2. Accordingly, these services are not affected by the issue described in CVE-2021-44228. Kaltura is working to update relevant non-internet facing components of these services according to a mitigation plan.

Regional Clouds:
Internet-facing services of Kaltura Regional Clouds do not include Log4j2. Accordingly, these services are not affected by the issue described in CVE-2021-44228. Kaltura is working to update relevant non-internet facing components of these services according to a mitigation plan.

Kaltura Meeting Experiences:
For internet-facing services of Kaltura Meeting Experiences (Kaltura Virtual Classroom, Meetings, and Webinars), we have updated log4j2 to the latest version and set the relevant flags to disable JNI, which addresses the issue. Additionally, these services were already on the latest version of Java. Kaltura is working to update relevant non-internet facing components of these services according to a mitigation plan.

Kaltura will continue monitoring this issue and provide additional details and recommendations as they become available.
Posted Dec 14, 2021 - 08:52 UTC
This incident affects: Kaltura MediaSpace.