Last Friday, December 10, 2021, an exploit was publicly released for a critical zero-day vulnerability dubbed “Log4Shell” in the Apache Log4J Java-based logging library. The critical remote code execution vulnerability primarily affects Apache Log4J software library versions 2.0 – 2.14.1. (The 1. x series of Log4J is also vulnerable when the JMS Appender class is being used.)
We want to assure our customers that Adaptiva products are unaffected by this vulnerability, and all versions of our products remain safe to use. While Adaptiva products use Log4J, we do not rely on the affected versions (2.0-2.14.1). We also do not use the affected Log4J JMS Appender class in any of our products nor is the class included in the jar. The Adaptiva client is safe to keep installed and enabled on all your endpoints.
What is Log4J and Log4Shell?
Log4J is broadly used in a variety of consumer and enterprise services, websites, and applications to log security and performance information. An unauthenticated, remote actor could exploit this vulnerability to take control of an affected system. With zero-day disclosures like this, attackers have an advantage while software vendors scramble to develop the fix. If left unpatched, cyberattackers could use the bug to take over computers and servers, potentially putting enterprises at risk.
More information about this CVE can be found here.
What is Adaptiva doing to help?
The Adaptiva endpoint management platform can be a powerful tool for you to detect and remediate endpoints affected by the Log4j vulnerability. Adaptiva is working diligently to equip our Endpoint Health product with a brand new custom health check that will help customers quickly identify files and endpoints that are impacted by the Log4J vulnerability. The new health check will automatically detect and identify endpoints that are vulnerable or have already been affected by the Log4J attack. The new health check package is expected within the next 24 hours.
Adaptiva’s Endpoint Health product automates discovery and remediation of endpoint configuration issues to maintain unprecedented rates of compliance and end-user uptime and satisfaction across your network. Leveraging the Adaptiva Edge platform IT can continuously deliver software, configurations, and patches to endpoints no matter their location whether on the corporate LAN, VPN, or over the public internet.
Please note that while Endpoint Health does have built-in remediations for many endpoint configuration issues, there is not currently a built-in remediation available for this Log4J exploit as it is embedded in so many applications that it would require customized remediations. Endpoint Health does have a powerful no-code authoring capability that you can use to create customized remediations for this exploit.
FAQ
Adaptiva is committed to supporting and ensuring the health of our clients and their networks. Therefore, we have put together the following FAQ to help you understand the impact of Log4J on our environment:
Does Adaptiva use Log4J in any of its products, internal systems, SaaS vendor solutions, or have any open-source dependencies that may use Log4J?
We want to assure our customers that Adaptiva products are unaffected by this vulnerability, and all versions of our products remain safe to use. While Adaptiva products use Log4J, we do not rely on the affected versions (2.0-2.14.1). We also do not use the affected Log4J JMS Appender class in any of our products nor is the class included in the jar.
Using the available known guidance on Log4J versions, are Adaptiva’s systems vulnerable to DDOS, code injection, or both?
No, there is no risk to your clients due to having the Adaptiva client installed. While Adaptiva products use Log4J, we do not rely on the affected versions (2.0-2.14.1). We also do not use the affected Log4J JMS Appender class in any of our products nor is the class included in the jar.
What mitigation steps to contain or minimize the attack surface area has Adaptiva taken since the vulnerabilities were discovered?
Adaptiva is currently testing the latest version (2.16.0) of the Log4J library, which contains the fix for this flaw. Once our test cycle is complete, we will include the updated library in the January 2022 product release cycle. There is no risk to your clients due to having the Adaptiva client installed, and you may upgrade to the new build at your convenience.
Has Adaptiva mitigated the situation per the industry guidance from Apache Foundation and CISA recommendations?
Adaptiva is currently working to upgrade the version of Log4J to the recommended version (2.17.0) from the Apache Foundation. We expect to incorporate it in our next release in January 2022 depending on the test results and integration requirements.
