SECURITY ALERT: CVE-2021-44228 Apache Log4j
RDS Consulting ALERT: Some OpenText customers might be affected by the Apache “Log4j” vulnerability, referred to as, “Log4Shell”. Contact RDS Immediately, for assistance determining if your systems are affected and how to mitigate.
M-Files core product relies on programming languages other than Java, and thus we have not as of now identified use of vulnerable log4j library within M-Files Server / Desktop / Classic Web / VNEXT / Mobile services. Here is a link to the M-Files statement
WE’RE HERE TO HELP!
Summary
Our team continues our analysis of the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications, such as, OpenText) disclosed on 9 Dec 2021.
RDS Consulting is taking steps to keep our OpenText customers safe and protected.
As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will continue to publish technical information to help customers detect, investigate, and mitigate attacks across all our services.
In addition to monitoring the threat landscape for attacks and developing customer protections, our security teams have been analyzing our products and services to understand where Apache Log4j may be used and are taking expedited steps to mitigate any instances. If we identify any impact to customer data, we will notify the affected party.
Background of Log4j
The vulnerability, tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. The scope of impact has expanded to thousands of products and devices, including Apache products such as OpenText. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux. As many Java-based applications can leverage Log4j 2, organizations should contact application vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible in order to protect users and organizations.
Further Information and Reading
RDS Consulting security teams have put together the following guidance and resources to help customers understand this vulnerability and to help detect and hunt for exploits:
RiskIQ published threat intelligence article to the community portal with information about the vulnerability and exploitation of it, as well as detections and mitigations: CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability
National Vulnerability Database (NIST): CVE-2021-44228 Detail
Cybersecurity & Infrastructure Security Agency (CISA: Part of the Department of Homeland Security) published a webpage for Apache Log4j Vulnerability CVE-2021-44228
~ The RDS Consulting Team