14th December 2021
True to form with recent high-profile zero-day vulnerabilities, the Log4j issue is set to run and run. The first 48 to 72 hours are always critical, and, as outlined in our blog yesterday, we used this time to focus our efforts on moving fast in the four key areas to protect our own and client environments.
The next phase of mitigation is no less fluid, but it becomes one where a consistent and systematic approach is the order of the day. We continue to work with 3rd party pen-testers to repeat their testing given the evolving nature of such announcements. We will provide a further update once this is complete.
We are also engaged with our clients to assist them in understanding the announcement and are ensuring that appropriate actions are taken where necessary, our account teams remain in close contact with clients.
Given the fluid nature of dealing with a zero-day, we firmly believe communication and shared knowledge is important. Therefore, we are also providing a list of resources that we have found helpful in the table below.
Log4j Vulnerability (Log4Shell) Resource List
|CVE ID and Description||CVE-2021-44228||The catalog entry on the CVE Program database.|
|Apache Logging Services (LOG4J) Home Page||Link|
|Apache Log4j Security Vulnerabilities Page||Link|
|Apache Log4j Download Page||Link|
|Options Primer and Blog||Link|
|NCSC-NL maintained a list of Log4j related software||Link||An excellent list of version information, the status of vulnerableness and links to a source.|
|Tech Solvency Cheat Sheet||Link||Good collection of links to other summaries and technical analysis, along with a list of related software and their current status.|
|SwitHak Cheat Sheet||Link||There is a list of Log4j related software with links to their information page, no summary of current status.|
We hope this list of resources is beneficial. For further information on the zero-day incident, please reach out to your Options contact or account manager.
To learn more about Options Managed Security offering, click here.
- Options InfoSec Committee.