OASIS Group, along with IT service providers across the globe, actively responded to the recent reported remote execution (RCE) vulnerability in the Apache Log4j Java library.
The vulnerability, which was made public on 9th December 2021, has been categorised with the CVSS score of 10.0. This means that the threat has been calculated as critical.
We have taken immediate action to detect any associated threats and mitigate against vulnerabilities related to CVE-2021-44228. We would like to assure our clients that we have not found any active exploitation of this vulnerability in our systems.”
Steve Townley, CIO of OASIS Group
Apache Software released an upgrade to Log4j 2.15.0 to patch the vulnerability and this has, where necessary, been implemented across the OASIS Group systems. A further update 2.16.0 has since been released and is bing implemented by our IT specialists.
We have taken immediate action to detect any associated threats and mitigate against vulnerabilities related to CVE-2021-44228. We would like to assure our clients that we have not found any active exploitation of this vulnerability in our systems.”
Steve Townley, CIO of OASIS Group
What actions do clients need to take?
There are no actions required for clients using OASIS systems, we have already made the necessary upgrades and continue to monitor for threats as usual. As mentioned above Log4j is widely used across many IT applications and we recommend that you check with your inhouse IT department or other suppliers.
Some other useful information:
What is a CVSS score?
CVSS stands for the Common Vulnerability Scoring System. It is an industry standard that provides a numerical (0-10, 120 being the highest) representation of the severity of security vulnerabilities in software.
What is a remote code execution (RCE)?
Remote code execution (RCE) is a cyber-attack that allows an attacker to remotely access and control someone else’s device or system without the need for a username or password. This can be done remotely from anywhere in the world.
What is Log4j?
Almost all software keeps a record of errors and other important events. Log4j is one of the most common logging packages used around the globe.
How have OASIS mitigated against the vulnerability?
OASIS’ team of inhouse IT professionals, including IT Software Engineering and IT Infrastructure Security Specialists, among others, were alerted to the vulnerability. The teams immediately worked to upgrade, where necessary, Log5j to version 2.15.0 which was released to address CVE-2021-44228.
A further update 2.16.0 has since been released and is bing implemented by our IT specialists.
We have also, where possible, added additional Java configurations and increased security protections via our firewalls and other security software.