MacStadium Response to Apache Log4j Vulnerability
MacStadium does not use Apache Log4j in any of its development code bases, and at this time there have been no detected exploitations of the vulnerability and no externally exploitable systems have been identified within our network.
The MacStadium team continues our analysis of the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on December 9th, 2021. As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we are pleased to share the following information regarding our internal investigations.
MacStadium does not use Apache Log4j in any of its development code bases.
Our internal and external vulnerability detection platforms have been updated in accordance with vendor recommendations for this CVE and at this time:
- There have been no detected exploitations of the vulnerability
- No externally exploitable systems have been identified within our network
All known currently available system patches and mitigation strategies have been applied according to published vendor recommendations.
We are actively working with all of our third-party vendors to identify any additional systems with potential unconfirmed vulnerabilities and remediate them appropriately as soon as patches or other mitigation strategies are published. In the meantime, we continue to closely monitor network traffic and log events in order to detect any malicious activity.
As MacStadium continues its investigation, we will notify customer primary points of contact immediately in the event that we detect exploitation of the vulnerability, confirm there is a known exposure of vulnerable environments that have or could have left customer systems or data exposed or if a third party/subcontractor within our supply chain that supports our customers is unable to conduct immediate remediation or has been exploited.
For additional details about this vulnerability, affected versions, and solutions, please reference the Apache Logging Services alert.