Apache Log4j2 Vulnerability Updates
We would like to notify all our customers that our security team is still assessing the risks associated with log4j vulnerabilities. So, far our team has not discovered any risk.
Please keep checking this thread for updates. We strongly suggest you to subscribe any updates on this thread.
More updates on this: https://logging.apache.org/log4j/2.x/index.html
-SearchUnify Community team
Please keep checking this thread for updates. We strongly suggest you to subscribe any updates on this thread.
More updates on this: https://logging.apache.org/log4j/2.x/index.html
-SearchUnify Community team
0
-
Our security team has verified that none of the SearchUnify application/services like crawlers, insight engine, admin console, Search, and other rest APIs exposed to the internet are using log4j libraries.
However, the team is still scanning all internal dependent libraries (not exposed to the internet) for possible patching as a cautionary measure. Please keep checking this thread for more updates.0 -
Our security team has deployed the right patches in all our dependent binaries using the reported Log4j library.
Also, there are controls in our environments to detect and prevent exploitation attempts.
We'll share more updates on this thread.0 -
Status
Our security team has verified that none of the SearchUnify applications/services like Crawlers, Insight Engine, Admin Console, Search, and other REST APIs exposed to the internet are using log4j libraries.
However, there are some dependent binaries which were using the reported version of log4j since it's a very popular logging library in Java.
We followed the official advisory from Apache (https://logging.apache.org/log4j/2.x/) and took the following steps to mitigate the vulnerability:
Removed the JndiLookup class from the log4j Jars
Java Virtual Machine (JVM) configuration/argument updates
Prevention:
We are using multi-layer defensive technologies (security controls) such as WAF (Web Application Firewalls) and continuous monitoring, to maintain the security of our customers' data.
Impact on Customer Data:
The investigation is ongoing but, to date, we have not discovered any indication that customer data has been impacted as a result of this issue. We are actively working with our third-party vendors to help ensure that they have mitigations in place. No red alerts are seen until now.
If there are any updates in the future, we'll post them on the same thread0
Please sign in to leave a comment.
Comments
3 comments