On December 9th, 2021, a vulnerability in the common Java utility Log4J was detected that essentially allows for remote code execution (RCE) without authentication.
Many of our partners and customers wish to understand if any of their suppliers are exposed to this vulnerability – as they should. We are asking our key partners and suppliers similar questions and many have issued notices such as this one.
Block 64’s products are not built in, nor are they executed via, Java, and as a result, do not use Log4j or any ported versions of Log4j, and are not exposed to this vulnerability. To ensure no other methods could be used to exploit the Log4J vulnerability, Block 64 has conducted a thorough review of our DevOps processes and the underlying tools we use to build, manage and support our software, and found no use of or dependency on Log4J.
That said, the Log4j vulnerability is a wide-ranging vulnerability affecting core technology including routers, billing systems and many other layers of technology – it is a developing story, and one we are watching closely to ensure that we react appropriately to any new facets to the threats it represents. We will continue to update on our progress in doing so here.
Assessing Your Own Exposure
Block 64 have released report that matches installed software titles in your environment with reported vulnerabilities from the CISA list of known exposures, using a natural language comparison methodology to account for the differences in ways installed software show up across versions, editions and even from customer to customer.
Because the ways vulnerabilities are reports does not always line up tidily to the way software shows up in an environment, we have assigned a confidence rating to our report that reports the likelihood of a match to a known vulnerability:
The Block 64 report will display any affected application versions, however due to the diffuse nature in which Log4j can be used in an environment, full detection will involve scanning your endpoints entirely to look for any affected .jar files. The below diagram, from the US Cybersecurity and Infrastructure Security Agency, describes methodologies for detection of exposure:
Source: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
CISA’s page on this exploit contains lists of affected products, as well as a simple scanning tool to look for affected .jar files. Please note that this level of drive scanning can be quite resource intensive, but we believe it to be the only way to be certain all potential exposure points for this vulnerability can be assessed.
For more information on this vulnerability, please visit the following links:
CISA Apache Log4j Vulnerability Guidance
Apache’s notes on the Log4J vulnerability
National Vulnerability Database CVE Entry
Microsoft Guidance on Prevention, Detection and Indicators of Compromise
For any more information or questions, please contact support@block64.com.