Update: 21 December 2021
As of the morning of 21 December 2021, we have identified all instances where vulnerabilities exist and have taken precautions to either apply patches, implement workarounds or closely monitor systems.
Original Post Below
A critical vulnerability has been made public for Apache’s Log4j Java-based logging tool. This Remote Code Exploit (CVE-2021-44228) allows an attacker to construct a special data request packet, which eventually triggers remote code execution.
Many applications and software deployments across the Internet utilize Apache Log4j, which puts many companies and services at risk of exploitation. Several mitigations and workarounds have been presented, but for many applications a patch may be required from a software vendor.
At Deft, we take security threats seriously. Here’s what we’re doing to address Log4j:
- We began an in-depth assessment of the impact of this vulnerability on Friday, December 10th.
- Throughout the weekend and into today (Monday, December 13th), we have realigned priorities and teams to focus on this issue for our internal systems and clients.
- We completed scanning of systems over the weekend and found only isolated instances where remediation will be required.
- Where applicable, we are also in continuous communication with our critical vendors on their response, patches, and recommended processes.
We continue to monitor the situation and are working with our vendors to ensure timely updates are applied to our platforms. We advise everyone to work with their software vendors to ensure mitigations are in place if patches are unavailable.
We will provide any and all necessary updates about this security notice via this blog post.