December 2021

Apache Log4j Vulnerability (“Log4Shell”)

Background:

A zero-day, critical vulnerability in a common java logging module Apache Log4j was discovered on December 9, 2021 (CVE-2021-44228). According to initial reports, any external-facing java-based applications with Log4j versions prior to 2.15 were vulnerable to remote code execution (RCE). This type of vulnerability allows a remote attacker to take control of an affected system. For additional details about this vulnerability, affected versions and solutions, please reference the Apache Logging Services alert and US Cert / CISA guidance. On December 14, 2021, it was announced that Apache Log4j 2.15 was "incomplete in certain non-default configurations” and thus additional patching was required to version 2.16. The week of December 20, 2021 it was communicated that vulnerabilities existed in 2.16, and thus upgrading to 2.17 was required and completed in order to fully remediate.

Conclusion:

During the remediation efforts outlined above: 

  • Prove did not detect an exploitation of the vulnerability in the systems Prove owns and/or manages.
  • Prove is not aware of any third party vendor/subcontractor that has been exploited by Log4Shell.  
  • Prove’s 24 / 7 SOC continues to monitor in real time for all signatures related to the Log4j  vulnerability on Prove-owned systems. 

Thus, there is no known exposure of vulnerable environments that have or  could have left Prove systems or Prove client data exposed.  

Prove Remediation Effort:

Prove evaluated the impact of Log4Shell to our environments starting on December 10th and took appropriate actions to remediate. The following remediation steps were taken to affected environments:

  • Prove patched all internet-facing, vulnerable instances of Apache Log4j on Friday, December 10, 2021 and upgraded the systems accordingly to version 2.15. On Wednesday, December 15, 2021, Prove upgraded its client-facing systems to version 2.16 after learning that version 2.15 was also vulnerable. On Wednesday, December 22, 2021, Prove upgraded those systems to 2.17 as required.
  • The Log4j vulnerability was also present on an  internal system with no public internet access and accessible by only three (3) Cloud  Engineers. This instance of Log4j was upgraded to 2.16 on December 13, 2021, and again to  version 2.17 on December 22, 2021 as required. 

Prove contacted all of our Tier 1 and Tier 2 third party vendors/subcontractors on December 13,  2021 to inquire about the potential or actual impact of Log4Shell on their systems/networks. This is  an effort to identify any third parties that a) are either unable or unwilling to conduct immediate  remediation or b) have been exploited by Apache Log4j. As of Friday, December 24, 2021, Prove’s vendors have not experienced any exploitation. We continued to monitor our vendors as new  information on Log4Shell becomes available.