A zero-day, critical vulnerability in a common java logging module Apache Log4j was discovered on December 9, 2021 (CVE-2021-44228). According to initial reports, any external-facing java-based applications with Log4j versions prior to 2.15 were vulnerable to remote code execution (RCE). This type of vulnerability allows a remote attacker to take control of an affected system. For additional details about this vulnerability, affected versions and solutions, please reference the Apache Logging Services alert and US Cert / CISA guidance. On December 14, 2021, it was announced that Apache Log4j 2.15 was "incomplete in certain non-default configurations” and thus additional patching was required to version 2.16. The week of December 20, 2021 it was communicated that vulnerabilities existed in 2.16, and thus upgrading to 2.17 was required and completed in order to fully remediate.
During the remediation efforts outlined above:
Thus, there is no known exposure of vulnerable environments that have or could have left Prove systems or Prove client data exposed.
Prove evaluated the impact of Log4Shell to our environments starting on December 10th and took appropriate actions to remediate. The following remediation steps were taken to affected environments:
Prove contacted all of our Tier 1 and Tier 2 third party vendors/subcontractors on December 13, 2021 to inquire about the potential or actual impact of Log4Shell on their systems/networks. This is an effort to identify any third parties that a) are either unable or unwilling to conduct immediate remediation or b) have been exploited by Apache Log4j. As of Friday, December 24, 2021, Prove’s vendors have not experienced any exploitation. We continued to monitor our vendors as new information on Log4Shell becomes available.