Log4j: What you need to know

Overview

There have been widespread reports of a new serious cyber security vulnerability within the last few days. Log4j is used by many systems worldwide including Apple and Amazon etc and its been discovered that there is a serious flaw that has been actively exploited already. Synergi is fully aware of this flaw and our team are actively checking Synergi vendors and our own systems; relevant advice or updates will be shared with our customers as they become available.

Synergi Customer Systems

We are investigating the impact widely, some suppliers have not released statements on log4j yet. We have deployed components via our Remote Monitoring Toolkit that will check for active exploits using the vulnerability. This is now running continually on all supported Managed Services customers. You will be notified if any active exploits or log4j vulnerabilities are discovered. If you have any questions or concerns, please contact the Synergi support desk however we will be actively helping to mitigate this risk ongoing for all customers.

Synergi Systems

We are working closely with our partners and are pleased to report that our main internal systems providers in Microsoft (Office, Security tools and D365), Datto (SaaS protect, Remote Management, Professional Services Automaton) and Sophos (Security Endpoint, WiFi and Firewalls) have all confirmed their systems are safe, have been updated, or do not use this technology.

We have compiled a list of information sources below for further detail. As always the team at Synergi are here to help, our experts are working to check for active exploits in order to mitigate risk for all customers.

Vendor Posts

• Git Hub NCSC updates/links to fixes – https://github.com/NCSC-NL/log4shell/tree/main/software
• Microsoft – Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation – Microsoft Security Blog
• Nintex – Zero day exploit on Apache log4j library – Nintex Community
• Sophos – Advisory: Log4j zero-day vulnerability AKA Log4Shell (CVE-2021-44228) | Sophos
• Datto – Datto’s Response to Log4Shell
• AWS – Update for Apache Log4j2 Security Bulletin (CVE-2021-44228) (amazon.com)
• IBM – An update on the Apache Log4j CVE-2021-44228 vulnerability – IBM PSIRT Blog
• VMware – VMSA-2021-0028 & Log4j: What You Need to Know – VMware vSphere Blog
• Google – Google Cloud recommendations for Apache Log4j 2 vulnerability | Google Cloud Blog
• Adobe – Apache Log4j 2 Advisory – Product Status (adobe.com)
• Box – Box’s statement on the recent Log4J vulnerability (CVE-2021-44228) | Box Blog
• Mimecast – Confirmed on partner portal that all identified services affected have been fully mitigated
• 1Password – https://1password.community/discussion/comment/622615
• OwlLab – confirmed via support Email that all systems are not affected by log4j
• PeopleHR – confirmed via support Email that all systems are not affected by log4j
• Powell Software – confirmed via Email that all systems are not affected by log4j

3^rd Party Posts

• Alert: Apache Log4j 2 vulnerability (CVE-2021-44228) – NCSC.GOV.UK
• Flaw prompts 100 hack attacks a minute, security company says – BBC News
• Log4j: Serious software bug has put the entire internet at risk | New Scientist
• Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability | ZDNet
• Log4j RCE: Patch issued but think about mitigating for now • The Register
• Divide And Conquer: Rapid Response To The Apache Log4j Vulnerability (forrester.com)

We will post further updates and links to this blog as they become available. Last updated 24/01/2022 11:40

***UPDATE – 23/12/2021***

Log4j latest – We are now actively scanning our own and all our Managed Service customer workstation and server systems daily to detect any signs of vulnerability or compromise. Please also be aware that the vulnerability can be present in any hardware devices that are network connected as well as software and cloud based systems.