Service Objects is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library, dubbed Log4Shell (or LogJam). Service Objects is investigating and mitigating our enterprise applications and additional services that may potentially be impacted. Service Objects will continually publish information to help customers detect, investigate, and mitigate attacks, if any, to our DOTS web services.
Service Objects Enterprise
Service Objects will continue to inventory our systems potentially impacted by the CVE-2021-44228 vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.
Service Objects Web Services
Service Objects is continuing a service-by-service analysis for Log4j impacts. If a DOTS web service is impacted, there will be a bulletin posted on this blog as remediation or fixes become available.
Updates will appear below:
12/23/21:
Our engineers were able to successfully remediate the affected systems following guidance provided by https://www.cisa.gov/
-Disabled Log4j where applicable
-Upgraded Log4j to version 2.17 where applicable