Zero-day Critical Security Vulnerability Notice for Java Logging Library Apache Log4j Service
A zero-day critical security vulnerability affecting the Java logging library Apache Log4j service was first discovered on December 9th. This vulnerability can allow remote attackers to perform unauthenticated remote code execution and access to Apache web server, which are widely deployed and used in many products. Security researchers have observed hundreds of thousands of attempts to exploit this vulnerability since it was discovered. As such, organizations should take all measures necessary to mitigate this threat.
What you can do to help mitigate the riskTo mitigate this risk, Log4j should be upgraded to version 2.16.0 or later and/or vendor, I should deploy patches to affected systems. Priority should be given to those systems which are Internet facing. For systems that cannot be patched, firewall and/or web application firewall rules should be deployed that prevent access to or exploitation of the Log4j service.
What systems are at risk from the Apache Web Server exploitation?
As previously stated, many products incorporate the Apache web server and are vulnerable. This is an industry-wide problem and identification of all affected systems is beyond the scope of this document. A list of affected Cisco products and remediation steps may be found here.
Steps IE’s OnDemand team has taken to remediate the Issue
For our OnDemand customers, the following determinations have been made to validate the security of our management services:
- One cloud service, Perch, had third-party components that were potentially vulnerable. This was remediated immediately on Friday, December 10 by ConnectWise. No exploitation has been observed.
- ConnectWise's Global Search capability third-party component was affected by this vulnerability, this component is not active within OnDemand services.
- ConnectWise suspended Marketplace purchase capabilities of Manage Cloud while they are validating that there is no vendor exposure. Their comprehensive review is still underway.
- ConnectWise temporarily restricted all network access to their hosted StratoZen servers over the weekend but have now restored most of the services. This was to reduce risk with their third-party Fortinet integration. This component is not used within OnDemand services
IE’s OnDemand team is continuing to assess the risk to each our Assurance customers. IE will provide updates to each customer with any necessary remediation steps as soon as they are available.
If you're unsure if any of your systems have been affected by this exploitation, or if you would like assistance assessing your current environment and mitigating potential risks, please contact our team.
About Sean Rollman
Sean Rollman has been with IE since 2005 and has more than twenty years of experience providing the design, implementation, and management of complex technology solutions for mid-level and enterprise customers. His diverse background includes the development and oversight of voice, video, LAN, WAN, wireless, and data center solutions for customers across numerous verticals, both domestically and internationally.