Apache Log4j2 Vulnerability Updates

Comments

3 comments

  • Permanently deleted user
    Our security team has verified that none of the SearchUnify application/services like crawlers, insight engine, admin console, Search, and other rest APIs exposed to the internet are using log4j libraries.

    However, the team is still scanning all internal dependent libraries (not exposed to the internet) for possible patching as a cautionary measure. Please keep checking this thread for more updates.
    0
  • Permanently deleted user
    Our security team has deployed the right patches in all our dependent binaries using the reported Log4j library.
    Also, there are controls in our environments to detect and prevent exploitation attempts.
    We'll share more updates on this thread.
    0
  • Permanently deleted user
    Status
    Our security team has verified that none of the SearchUnify applications/services like Crawlers, Insight Engine, Admin Console, Search, and other REST APIs exposed to the internet are using log4j libraries.
    However, there are some dependent binaries which were using the reported version of log4j since it's a very popular logging library in Java.

    We followed the official advisory from Apache (https://logging.apache.org/log4j/2.x/) and took the following steps to mitigate the vulnerability:
    Removed the JndiLookup class from the log4j Jars
    Java Virtual Machine (JVM) configuration/argument updates

    Prevention:
    We are using multi-layer defensive technologies (security controls) such as WAF (Web Application Firewalls) and continuous monitoring, to maintain the security of our customers' data.

    Impact on Customer Data:
    The investigation is ongoing but, to date, we have not discovered any indication that customer data has been impacted as a result of this issue. We are actively working with our third-party vendors to help ensure that they have mitigations in place. No red alerts are seen until now.

    If there are any updates in the future, we'll post them on the same thread
    0

Please sign in to leave a comment.