pasUNITY Mitigation of Log4J Vulnerability

Written By Gary Fletcher

Blogs pasUNITY Hosting

The IT world is buzzing right now about a very serious new security vulnerability that affects Apache web servers using the Log4J version 2.x logging library.  

What makes this any different from any other security vulnerability?

Only that the consequences in a very particular scenario can be quite severe if not mitigated.  Unlike many bugs that are often well known and/or automatically patched through Windows Update or some other common patching scenario this one requires manual intervention to detect if the scenario is valid and then manually take steps to prevent it.

Who is affected?

Anyone running Apache web servers with Log4J version 2.0 thru 2.14.1 that have either not upgraded the component or have not manually implemented a mitigation.  In our data center there are only a handful of products that use this component the most common one being Infor SunSystems 6.3 and above.

What is pasUNITY doing to protect customers and mitigate the vulnerabilities?

We have globally implemented a mitigation on every machine in our environment that will prevent the exploit from being used (whether the machine had Apache installed or not).  Over time, vendors whose software relies on the affected components will release patches that update their use of Log4J to a newer version that is not vulnerable to the exploit rendering this mitigation unnecessary, but there is no need to panic as we have already ensured that access to the lookup formatting function that is used by the exploit is globally disabled throughout our enterprise.

Is there anything that I need to do?

Yes.  Talk to your IT department to make sure that they are on top of this to protect your organization.  And remain vigilant.

Where can I learn more?

The vulnerability is widely documented on a number of popular sites but let us recommend this article from the Microsoft Security team that solidly addresses the impact on Windows operating systems and this official announcement of the vulnerability.

2024-12-21 23:01:02
© 2003 - 2024 pasUNITY, Inc. | Terms Of Use | Privacy Statement