Apache Log4J Vulnerability Update
What we are doing
Six Degrees CSOC (Cyber Security Operations Centre) are continually monitoring threat intelligence sources for Apache Log4j vulnerability developments and our Threat Response Team are ready to act as new risks and issues are reported.
Phishing campaigns remain the primary threat to UK organisations due to volume and capability of malware to launch ransomware attacks. We encourage our clients to continue taking all available steps to protect your organisation from phishing emails.
What we have done
- We have successfully actioned the available Log4j workarounds, patching and updates provided by our technology vendors as at 3pm 23 December.
The vulnerable technologies
- We have completed our review of over 250 technologies to assess their vulnerability to the Log4J threat.
- Key areas impacted include our Enterprise Cloud Platform (VMWare) and Avaya unified communication
- We have completed the first workaround released by VMWare in relation CVE-2021-44228. *
- We have completed the second VMWare workaround in relation to CVE-2021-45046. *
- As soon as a full patch is released, we will be ready to deploy, including over the Christmas period.
* The Enterprise Cloud workarounds have been completed without notification as they have not required downtime.
Avaya Unified Communication
- All relevant Avaya clients have had mitigation applied against the Log4j vulnerability
What you can do
- Communicate the need for high security discipline within your organisation to protect against phishing campaigns.
- Review your entire estate (not just Six Degrees managed) using this list to ascertain if you have vulnerabilities
- Where you have relationships with vendors, monitor their statements and act accordingly to their recommendations
- Act on our technical Apache vulnerability advice below
- Keep up to date with Six Degrees progress via our information hub
We will continue to monitor the situation and provide updates via our Information hub.