A zero-day critical security vulnerability affecting the Java logging library Apache Log4j service was first discovered on December 9th. This vulnerability can allow remote attackers to perform unauthenticated remote code execution and access to Apache web server, which are widely deployed and used in many products. Security researchers have observed hundreds of thousands of attempts to exploit this vulnerability since it was discovered. As such, organizations should take all measures necessary to mitigate this threat.
What you can do to help mitigate the riskTo mitigate this risk, Log4j should be upgraded to version 2.16.0 or later and/or vendor, I should deploy patches to affected systems. Priority should be given to those systems which are Internet facing. For systems that cannot be patched, firewall and/or web application firewall rules should be deployed that prevent access to or exploitation of the Log4j service.
As previously stated, many products incorporate the Apache web server and are vulnerable. This is an industry-wide problem and identification of all affected systems is beyond the scope of this document. A list of affected Cisco products and remediation steps may be found here.
For our OnDemand customers, the following determinations have been made to validate the security of our management services:
IE’s OnDemand team is continuing to assess the risk to each our Assurance customers. IE will provide updates to each customer with any necessary remediation steps as soon as they are available.
If you're unsure if any of your systems have been affected by this exploitation, or if you would like assistance assessing your current environment and mitigating potential risks, please contact our team.