15.12.2021

Share

Apache Log4j Security Vulnerabilities

Cisilion are working with our key vendors to determine what product sets are vulnerable to the recently discovered Apache Log4j Security Vulnerabilities. Cisilion regard the NIST Vulnerability Database as the source of truth for vulnerability management. NIST have rated this vulnerability with the highest CVSS Score of 10 (Critical).

Many software vendors and organizations use the Apache Log4j, which is a Java-based logging utility, in their software solutions. Cisilion are working with vendors and partners to notify and remediate issues for supported customers, updating as further information becomes known and is made available.

 


How does this affect key vendors?

 

Cisco

Cisco have confirmed that some products are vulnerable and are working on completing the listing and providing updates of potential fixes.

 

Microsoft

Microsoft have not found evidence that any of their services are vulnerable. However, customer installed applications and 3rd Party connectors could use Apache log4j2 and therefore could be vulnerable.

 

VMware

Vmware have provided a list of vulnerable products and are working on patches and work arounds.

 

Vendors Who Are Not Vulnerable

  • PaloAlto
  • Redbox (Still to confirm if any products are vulnerable)
  • Tiger
  • 2Ring Wallboards
  • Luware
  • ScienceLogic
  • ARC (Switchboard Console Software) version 6.3.x onwards
  • Cisilion SmartPortal

 


 

How do I protect my systems?

The National Cyber Security Centre have published some simple guidance that you can read here. The most basic steps can be summarised as:

  • Install the latest updates immediately wherever Log4j is known to be used
  • Discover unknown instances of Log4j within your organisation
  • Deploy protective network monitoring/blocking

If you’re concerned about your infrastructure, fill out the form below and we’ll put you in touch with our experts.