On 10th December 2021, a critical severity Remote Code Execution (RCE) exploit disclosure for log4j was published, as CVE-2021-44228, affecting versions below 2.15.0. The vulnerability has been coined as Log4Shell. The log4j framework allows Java developers to log data (incl. user-based) in their applications.
In short: No. We confirm that CVE-2021-44228 does not impact the Cloudsmith service following a security audit. As per our last announcement regarding ISO27001 certification, we're highly committed to security and privacy, and we'll do everything we can to assist with ensuring that our customers, and your customers, remain secure too.
Although Cloudsmith is not impacted, the exploit is exceptionally high impact and highly commonly used, so it should be taken utmost seriously by developers and users of affected software. Immediate action is required to identify and mitigate the software and environments impacted.
Please see our full announcement (below) for background, mitigation advice and next steps.
After nearly a year of effort in which we designated 2021 as the “Year of Security,” we’re incredibly proud to announce that we are now ISO27001:2013 certified. The certification is an incredible achievement by the team at Cloudsmith and excellent news for all of our customers. What exactly is ISO27001:2013? ISO27001:2013, also known as ISO27001…
One of the features our customers have requested is the ability to sort packages when querying via the Cloudsmith API. Good news everyone - we can now offer that functionality! What does this mean for me? By default we will sort packages by the uploaded date descending (the most recently uploaded package first), but what if you wanted to view w…
Our more observant Debian users may have noticed that we rolled out support for acquire-by-hash over the past week - you may have also noticed fewer pipeline disruptions as a result! What does this mean for me? If you're someone spinning many plates, you may have encountered some hiccups with your pipeline when updating your repository whilst sim…
Good news! As part of our efforts to further secure access for users in your org, we're introducing the ability to enforce SAML-only Authentication. Plus, a bonus is that SAML is now fully self-service configurable: With SAML-only Authentication configured, all members of your organization will no longer be able to use password-based or social-bas…
Good news! You can now set a custom support email and URL for your organizations. For error messages when installs or setups go wrong or where we need to communicate an issue to your users, we'll now display your own support email and URL. You can configure it in your org profile settings: For example, if your users use the automated bash installs…
Good news! If you've been looking for an easy method of setting the default access for a repository across your organization, we've got you covered. Introducing repository-level default privileges: These complement the existing default org-wide repository privileges. Such that the privilege for a user is the greatest privilege granted to them via…
By submitting this form, you agree to our privacy policy
