On December 10, 2021, the Apache Software Foundation published an advisory to address a critical remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. In response to this advisory, the Cybersecurity & Infrastructure Security Agency (CISA) is encouraging users and administrators to upgrade Log4j. Additional updates from Apache resulted in a recommendation to update to version 2.17.0 or apply the recommended mitigations immediately. See CISA website for more details: Apache Log4j Vulnerability Guidance | CISA
Ensono has assessed the potential impact of this vulnerability on Ensono’s services and clients Ensono has applied all currently published signatures to its firewalls and endpoint protection software and thus far, Ensono continues to find no indication of published compromises.
Ensono has remediated a large number of systems and continues to remediate remaining impacted systems in accordance with third party vendor recommendations. For clients that have vulnerability scanning as part of their services, these environments are being scanned and reports are being provided to the clients and appropriate Ensono teams for action.
“As we continue to monitor the vulnerability affecting Log4j, we want to assure all our clients and stakeholders that Ensono is actively scanning environments and has so far found no indication of compromises,” said Savio Lobo, chief information officer at Ensono. “We will continue to assess how this threat evolves and take necessary actions to ensure that our client’s systems are protected.”