Zero-Day: Log4Shell Update, 14th December

Zero-Day: Log4Shell Update, 14th December

Zero-Day: Log4Shell Update, 14th December

14th December 2021

True to form with recent high-profile zero-day vulnerabilities, the Log4j issue is set to run and run. The first 48 to 72 hours are always critical, and, as outlined in our blog yesterday, we used this time to focus our efforts on moving fast in the four key areas to protect our own and client environments.

The next phase of mitigation is no less fluid, but it becomes one where a consistent and systematic approach is the order of the day. We continue to work with 3rd party pen-testers to repeat their testing given the evolving nature of such announcements. We will provide a further update once this is complete.

We are also engaged with our clients to assist them in understanding the announcement and are ensuring that appropriate actions are taken where necessary, our account teams remain in close contact with clients.

Given the fluid nature of dealing with a zero-day, we firmly believe communication and shared knowledge is important. Therefore, we are also providing a list of resources that we have found helpful in the table below.

Log4j Vulnerability (Log4Shell) Resource List

Description Link Comments
CVE ID and Description CVE-2021-44228 The catalog entry on the CVE Program database.
Apache Logging Services (LOG4J) Home Page Link
Apache Log4j Security Vulnerabilities Page Link
Apache Log4j Download Page Link
Options Primer and Blog Link
NCSC-NL maintained a list of Log4j related software Link An excellent list of version information, the status of vulnerableness and links to a source.
Tech Solvency Cheat Sheet Link Good collection of links to other summaries and technical analysis, along with a list of related software and their current status.
SwitHak Cheat Sheet Link There is a list of Log4j related software with links to their information page, no summary of current status.

 

We hope this list of resources is beneficial. For further information on the zero-day incident, please reach out to your Options contact or account manager.

To learn more about Options Managed Security offering, click here.

– Options InfoSec Committee.

Earlier update here:

Zero-Day: Log4Shell

Leave a Reply

Your email address will not be published. Required fields are marked *