What is the Apache Log4j Logging Service Vulnerability?

Apache Log4j is one of the most popular web server logging utilities used in thousands of software applications. The Apache Log4j logging service (v 2.14.1 and below) vulnerability can allow malicious users to remotely execute code which can compromise the integrity of the system. 

Why is this considered a severe threat?

Any software with a web-based client or configuration component may be affected if it uses the Apache Log4j library. Some of these valuable assets can include Virtualization Hypervisor servers, accounting software packages, and software that runs on firewalls protecting your environments.

What can you do RIGHT NOW to address the vulnerability?

1. Reach out to your software vendors to see if they have vulnerability updates or workarounds.
2. Many firewall software and End Point protection platforms have built-in update tools. Make sure your firewalls and End Point protections are up to date and patched.
3. Check in with your software vendor to make sure all patches are up to date.

What to do in case your systems are affected?

If any active machines at your facility have vulnerable software with no readily-available fix, we recommend turning the off the machine(s) until a fix has been found. This is recommended for non-business critical assets only.

What is Champion doing?

Champion is reaching out to our OT software partners and vendors to compile a list of known affected products, along with remediation strategies. We can also assist in verifying that your OT environments are safe. 

                    

                        Review the list
                        
                    
                    

                

More information on this vulnerability can be found at these sites:

Statement from CISA Director Easterly on “Log4j” Vulnerability | CISA

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228