An update on the Apache Log4j CVE-2021-44228 vulnerability
- December 14, 2021
Security researchers have identified that there is a critical vulnerability (CVE-2021-44228) related to a commonly used Java log component ("Apache Log4j").
As part of its vulnerability management process, 3stepIT has gone through the list of its customer facing services and evaluated their status regarding Log4j vulnerability. Current situation of our services is:
* AssetIQ and REstepIT are not affected by this vulnerability. * AssetNG and its supporting services have been updated to mitigate the vulnerability. * In addition, ChooseIT, CheckIt, and FindIT have been updated to mitigate the vulnerability. * Profiler client that is part of CheckIT service does not contain the vulnerable component and therefore has not been affected.
We have completed patching our services to a secure version to mitigate the vulnerability. We are also aware that new vulnerabilities around with regards to this “Apache Log4j” component and continue to patch to new versions as they emerge. Current update protects also against more recently discovered vulnerability CVE-2021-45046. Furthermore, 3stepIT continues enhanced monitoring of services. We have not detected any compromise of customer data.
We recommend that each customer goes through their own IT estate to find out if they have the vulnerable component in use and to update the log4j to most recent version and track the development of vulnerabilities with regards to log4j.