Apache Log4J Zero Day Vulnerability Update – 16/12/21

16/12/2021 – Important Update

CVSS Score Critical 

Executive Summary  

Incident response

The management and resolution of this issue remains the highest corporate priority within Six Degrees. A dedicated response team is in place to continue analysing the scale of impact, co-ordinating our response actions and ensuring we deliver a resolution as soon as possible. 

We are making progress

  • We have reviewed over 250 technologies that form part of our service offering
  • We have begun implementing vendor workarounds on technologies that have been identified as vulnerable, which provides partial mitigation
  • We are reliant on the vendor providing patches to provide full mitigation.  As soon as these are released, we will be scheduling patching and providing an update

We are not complacent

We know that the security of your digital estate and data is invaluable to any modern business.  For this reason, we will not rest until we have absolute clarity on the status of all technologies and that we have patched these in line with vendor guidance.  We are also ensuring our core security infrastructure provides as much protection as possible to any exposed technology and using our own security expertise to ensure we leave no stone unturned.  

Further guidance

The NCSC (National Cyber Security Centre) reports that scanning and attempted exploitation are being detected globally, including in the UK. Six Degrees’ CSOC will continue to monitor such attacks for our supported customers. 

A detailed list of software that has been confirmed as vulnerable and those that are currently under investigation may be found in point 4. 

To assist further we have shared some links below that may be beneficial while carrying out research across your technology space and with all your providers.

  1. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Centre
  2. Log4j RCE 0-day actively exploited | CERT NZ
  3. https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
  4. https://github.com/NCSC-NL/log4shell/blob/main/software/README.md#m

Subscribe to the newsletter today

Related posts

New Senior Appointments: ‘Transforming to Scale’

New Senior Appointments: ‘Transforming to Scale’

Six Degrees appoints new Chief Revenue and Chief…

Cyber Security Maturity Assessment

Cyber Security Maturity Assessment

Fortify your organisation’s security posture by evaluating your…