Mytech Knowledge Center

Security Alert: Critical Log4j Vulnerability

Written by Jonathan Fondell | Dec 14, 2021 6:49:33 PM

Update 12.22.21. This vulnerability continues to pose a major risk for many organizations. Due to the nature of this exploit, your greatest risk likely comes through any vendor that provides software to your organization. If you have not already discussed this vulnerability with each of your vendors and confirmed that their patches are up to date, do so immediately.

In addition, you should discuss your exposure level with your IT provider, to determine any potential points of attack on your network. Mytech is working behind the scenes to catalogue and track security updates from our clients' vendors, to help us quickly assess any remaining risks. But the threat of this attack remains high, and your IT provider cannot defend you from vendor vulnerabilities that they don't know about.
---

Over the weekend, you may have heard about the Log4j RCE or CVE-2021-44228 vulnerability. This Java logging package is used in a significant variety of software, so this vulnerability poses a serious cybersecurity threat to unpatched systems. A patch for CVE-2021-44228 has been released – however, due to the nature of this tool, there is no global patch that can be pushed to all instances of at once: each vendor that uses Log4j must individually patch their specific software.

The technology community is working quickly to release and patch these vulnerabilities, but it can be difficult to track which applications have been secured and which are still at risk. Unfortunately, there is no “master list” of where the Log4j package is used, or which applications may still be vulnerable. 

What you should do:

While there is no direct action you can take to accelerate this process, you can help by informing your managed services provider about which applications have been patched. You may have already received communication from many of your software providers about their mitigation plan: if so, we recommend you forward these notifications to your IT provider, so they can review any risks or actions that still need to be addressed.

We also recommend proactively reaching out to any of your line of business applications that have not yet messaged about this vulnerability to identify if they use the Log4j tool, and what steps they have taken to secure it. You may also find this information on their product release or update pages. If you discover their software does use Log4j, and they have not patched or mitigated the risk, you should inform your IT support team immediately.

What Mytech is doing:

Mytech is working diligently to identify any of our applications or applications used by our clients that utilize Log4j. We are deploying patches wherever they are available, and deploying mitigations wherever required. Thus far, we have found no evidence of a successful exploitation, but we will continue to monitor this situation closely over the coming weeks.

In the meantime, our Mytech clients should follow our Security Alerts page for future updates, and forward any messages from your vendors about this vulnerability, so Mytech can act promptly to keep you secure.