Sectigo Update on Log4j Java Logging Exploit
Over the past week, there has been a lot of news surrounding a newly discovered Remote Code Execution (RCE) exploit within the Java logging library (Log4j) under CVE-2021-44228. This exploit potentially affects over a third of web servers worldwide, since this Java logging library is so prevalent on Apache web servers and widely used in the development of Java applications.
There Are Currently No Threats to Sectigo Solutions
The Sectigo infrastructure and development teams have been assessing the situation and have confirmed that there are no threats to any existing Sectigo solutions. Sectigo has confirmed this by scanning all source code repositories for the java logging library and performing vulnerability scans of our retail sites and web applications. Sectigo will continue to monitor the situation and post updates if appropriate.
As for patching the vulnerability, Apache quickly released a security update. You can learn more about the latest release and how to update Log4j here.
Update Critical Business Apps and Services
Sectigo also recommends that everyone pay close attention in the coming weeks. While the latest Log4j update has fixed the exploit, many applications and services are still using the older version of the Log4j framework. This means that the vulnerability is still actively being exploited.
Although there is no evidence that the exploit was being used before a few weeks ago, there has been an uptick in bad actors scanning critical infrastructure around the world possibly to aggregate data on organizations that are still vulnerable. There also have been cases where attackers have been using this exploit to embed botnets, cryptominers, and other malicious code for nefarious reasons in the future which we widely expect to include ransomware.
With all critical vulnerabilities such as this, we ask that everyone stay vigilant and ensure all critical business apps and services are up to date.