Cydar response to Apache Log4j Vulnerability

Posted in Security on 15 Dec 2021

As has been extensively reported, a critical vulnerability has been discovered in Apache Log4j, a widely used component frequently incorporated into Java software products. The vulnerability is being actively exploited, and the consequences of a successful exploit are potentially serious. More information is available from the UK National Cyber Security Centre, the US NIST National Vulnerability Database, and CERT-EU.

As part of our ongoing security measures, Cydar immediately investigated the vulnerability and initiated a response. We quickly established that the core Cydar EV system was not affected. On a wider review, we identified a small number of internal non-production systems using third party software that are affected. These systems are not publicly accessible, and so not at high risk of exploitation. We have applied the recommended mitigations and restricted the outgoing traffic from the hosts in question as an additional precaution.

This vulnerability is both serious and widespread, and the effects are likely to be felt globally for a long time to come. We are confident that we have addressed any potential issue with respect to our systems, but we will of course continue to monitor developments and take any further action necessary.

Apache®, Apache Log4j and the Apache Log4j logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. No endorsement by The Apache Software Foundation is implied by the use of these marks.