Zero-day critical security flaw in the Java logging library Apache Log4j was first discovered on December 9, 2009.
What you can do to mitigate the risk Systems that are Internet-facing should be given priority. If the Log4j service cannot be repaired, firewall and/or web-application firewall rules should be used to block access to or exploitation.
What systems are at greatest risk from the Apache Web Serverexploitation?
As previously stated, many products incorporate the Apache web server and are vulnerable.This is an industry-wide problem and identification of all affected systems is beyond the scope of this document.Alist of affectedCiscoproducts and remediation steps may be foundhere.
The OnDemand team at IE has taken steps to address the issue
These are the Security Measures that we have taken to ensure the security of our management services for our OnDemand customers:
Perch, a cloud service, had potentially vulnerable third-party components. ConnectWise immediately remedied the situation on Friday, December 10. No exploitation has been observed.ConnectWise’s Global Search capability third-party component was affected by this vulnerability, this component is not active within OnDemand services.ConnectWise suspended Marketplace purchase capabilities of Manage Cloud while they are validating that there is no vendor exposure. Their comprehensive review is still underway.ConnectWise temporarily restricted all network access to their hostedStratoZenservers over the weekend but have now restored most of the services. This was done to reduce the risk associated with their third-party Fortinet Integration. This component is not used in OnDemand servicesIE continues to assess the risk for each of our Assurance customers. IE will provide updates to each customer with any remediation steps.
Contact our team if you are unsure if your systems were affected by this exploitation or if you need assistance in assessing your current environment, and mitigating any potential risks.
Sean Rollman joined IE in 2005. He has more than 20 years of experience in the design, implementation, management, and support of complex technology solutions for enterprise and mid-level customers. His varied experience includes the development and oversight voice, video, wireless, LAN, and WAN solutions for customers in many verticals, both domestically as internationally.
Sean Rollman is your contact