INDUSTRY VUNERABILITY ALERT – Publicly released on 9 December 2021, and known as Log4j or Log4Shell, is actively being targeted in the wild. CVE-2021-44228 has been assigned the highest “Critical” severity rating with a maximum risk score of 10.
On Tuesday, December 14th, new guidance was issued and a new CVE-2021-45046 (CVSS 3.7) was released stating that upgrading to Log4j version 2.15.0 is insufficient and version 2.15.0 is still vulnerable to Log4Shell, in certain scenarios.
TZA CUSTOMER RESPONSE
A remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) was disclosed on 9 Dec 2021. This exploit applies to versions 2.0 <= log4j <= 2.14.1, and is widely used across common software applications.
TZA’s incident response team immediately reviewed our applications, services, and infrastructure to determine the impact of this vulnerability. Focus was initially on all external facing services and we determined that none of the external services included the affected library. We quickly determined that some of the internal ProTrack Connect ETL instances contained the affected library and patched them immediately. The ProTrack Connect ETL instances are responsible for internal file processing and have no external interface that would have been vulnerable.
TZA employed Veracode’s Software Composition Analysis and Trivy container scanner to ensure no vulnerabilities were missed within any of our products or infrastructure. As an extra layer of security, we also configured Google’s Cloud Armor to protect our services from any potential exploit attempts.
In addition to reviewing our products and systems, TZA has reviewed all internal applications and worked with our vendors to confirm if the exploit exists within their software and patch the software if necessary.