Sage, inc response
Here is an excerpt from Sagecity regarding the apache Log4shell library exploit. "our initial findings indicate there are no exposed systems in the Sage Products or architecture stack that uses log4j – and where we have identified the potential for a vulnerability, we have issued a patch. However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this 3rd party component.
Update from Sage (12-16-2021)
google cloud platform response
"Google Cloud is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels."
For updates from the Google Cybersecurity Action Team on recommendations for investigating and responding to this Log4j vulnerability, Please visit this blog post.
Other Information
As of the writing by Lance Whitney for TechRepublic on December 13, 2021, “Apache has patched the vulnerability in its Log4j 2 library, but attackers are searching for unprotected servers on which they can remotely execute malicious code.
A serious security vulnerability in a popular product from Apache has opened the floodgates for cyber criminals to try to attack susceptible servers. On Thursday, a flaw was revealed in Apache's Log4j 2, a utility used by millions of people to log requests for Java applications. Named Log4Shell, the vulnerability could allow attackers to take control of affected servers, a situation that has already prompted hackers to scan for unpatched systems on which they can remotely run malicious code.
Anyone who uses the log4j library is urged to immediately upgrade to version Log4j 2.15.0. However, hackers know that organizations are often slow to patch even critical security flaws, which is why attackers are frantically hunting for unpatched systems. Other vendors, including Oracle, Cisco and VMware, have issued patches to secure their own products."
Even with the patch, this is shaping up to be a serious security problem expected to affect organizations and users for the foreseeable future.
Comments