Our development teams have been working with the highest priority to identify and then remediate the Log4j vulnerability, an open-source logging software library, which became known on Thursday, December 9. Specific versions of the Log4j vulnerability were rated at the highest criticality level according to the Common Vulnerability Scoring System (CVSS). Our product teams are prepared for such situations. Defined and mature processes have been applied, including establishing a vulnerability management team to oversee the response activities to vulnerable versions with the highest priority.
We have successfully completed reasonable mitigation steps including:
- Scanning of our systems to discover instances and versions of Log4J within the organization.
- Installation of the latest updates or alternate mitigations.
- Deployment of protective network monitoring / blocking.
- Engagement with third party service providers if the affected system was Commercial off-the-Shelf (COTS)/ Modifiable off-the-Shelf (MOTS) or externally hosted.
Our product teams have not identified any incidents or intrusions.
Location Risk Intelligence
All systems scanned. A 3rd party component contained a log4j library, however there was no known exploit available at any time for this component. A Log4Shell mitigation patch was applied immediately as announced by the 3rd party. The scripts removed the JndiLookup class which is the only mitigation measure recommended by Apache Log4j that does not require updating the Log4j version. This action fully addresses CVE-2021-44228 and CVE-2021-45046.
Data Risk Intelligence (Compliance Web)
All systems scanned. No version of Log4j has been identified.
What is Log4j?
On December 9th, 2021, a vulnerability (CVE-2021-44228) concerning the Apache Log4J logging library became public.
A code library is an independent piece of software that is integrated into a product during the development process. The Apache Log4J code library is integrated in many Java applications, including those from Apple iCloud, Steam, Samsung Cloud storage, as well as thousands of additional other applications. The Apache Log4J library contains a software bug that results into a high severe vulnerability (CVSS 10/10). The vulnerability was originally disclosed to Apache by the Alibaba Cloud Security Team on November 24th.