Dear Customers and Business Partners,
Our team is currently investigating CVE-2021-44228, a critical
vulnerability that’s affecting a Java logging package log4j which is
commonly used as a component or dependency for numerous applications.
If your organization uses the log4j library, you should upgrade to
log4j-2.15.0.rc2 or the latest stable release immediately.
Be sure that your Java instance is up-to-date; however, it’s worth
noting that this isn’t an across-the-board solution.
You may need to wait until your vendors push security updates out for
their affected products.
The log4j package may be bundled in with the software you use provided
by any given vendor.
In this scenario, unfortunately, the vendors themselves will need to
push the security updates downstream.
As you assess your own risk and threat model, please consider the
components of the software you use and especially what may be publicly
accessible.
Patching is therefore dependent on vendors investigating and publishing
patches for said applications.
It should be noted that patching applications is beyond the remit of
Prosynergy Solutions, as we patch up to the OS level.
This activity will fall on customers as part of the shared
responsibility model.
That said, we are actively scanning our external cloud interfaces using
the latest tools for the Log4Shell vulnerability, notifying customers
where it is detected.
Please note that lack of detection does not mean the vulnerability is
not present in your environment.
Prosynergy Solutions is proactively applying workarounds and/or patches
for infrastructure services, as they become available from vendors.
--
Sincerely,
Security Advisory Team
