Some customers may already be aware of a major security vulnerability that has been identified within popular open-source platform Log4J.
We are aware of this vulnerability and will be contacting customers directly to discuss in more detail. In the meantime we wanted to share some important information for those who might not be aware of the situation, or of the potential severity of this vulnerability.
The information collated below is all publicly available and has been gathered from industry leaders to provide a detailed summary. This information is correct at the time of writing, but please be aware that this is a dynamic situation and some information may become inaccurate as further details emerge. We will endeavour to update with new details as regularly as possible, and will include relevant hyperlinks where required to deliver the latest information.
As you may have heard or seen reported on the news, on December 9th 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. This vulnerability was classified with a CVSS (Common Vulnerability Scoring System) score of 10.0 which is the highest and most critical alert there is.
Log4j is a popular open-source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system.
The severity of this vulnerability is classified as “Critical” by NIST. Full details available here.
Within your IT infrastructure there will most likely be either software or hardware in use that utilises the Log4j logging library. This could be something as simple as a door access control system, a web server, a firewall, or perhaps even a piece of software you use every day such as your ERP, CRM, or HR system. The logging library is a common piece of software that is used by many different services within your IT estate.
In an effort to counteract the vulnerability Apache have released a new patch, but this will take some time to be fully integrated into the “software specific” patches developed by individual software manufacturers. This means that there isn’t currently a complete toolbox of software updates that can be applied to your infrastructure to protect you.
Several software manufacturers have already made announcements as to whether their products are affected, and where they are, have outlined the steps to remediate. These remediations are mixed with some detailing the release of new software updates, and others suggesting initial workarounds to the problem which involve disabling logging systems that are susceptible to the risk.
The vulnerability is most applicable to public facing systems that are exposed through your firewall. For most of our customers, the risk is much lower, but for customers with public/internet facing systems, our efforts will be focused on making sure that updates suggested by your software manufacturers are prioritised for installation.
We expect that you will be receiving communication from the manufacturers of your industry specific/bespoke software and hardware with instruction on what the next steps are for remediation, whether that be a software patch or workaround. Software patches for hardware such as firewalls, switches, servers, and SANs etc will mostly be communicated directly to us as your support partner and so we will be collating this information on your behalf and investigating how these can be applied to your infrastructure.
We will be closely monitoring software manufacturers update notices to make sure that when updates are available, we can work with our customers to facilitate their deployment.
Any updates that can be performed automatically and without disruption will be done as normal using our helpdesk remote monitoring system.
For more details on the vulnerability, we’d recommend reading the below summary provided by the BBC.