Cybersecurity Threat Alert
By: John Otte, Director of Cloud and Security, CISO
On December 9th, 2021, a zero-day cybersecurity vulnerability was discovered in a widely popular Java logging framework named Apache log4j version 2.x. This vulnerability was assigned the maximum possible severity score of 10.0, with a severity rating of “Critical” by the National Institute of Standards and Technology (NIST). This vulnerability has been assigned the name “Log4Shell.”
The Paradigm Cybersecurity team has investigated the potential exposure and impact to our customer-facing products and internal corporate resources.
Based on this investigation, we’ve determined that none of our products and/or internal resources are currently impacted or exposed by this vulnerability.
NIST Public Vulnerability Disclosure Link: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Threat Advisory at a Glance
|Paradigm Impact Rating
|Specially crafted strings parsed by log4j2 can allow for remote code execution within the rights of the logging application, allowing full control of the affected system and the capability to reach out and run arbitrary code.
|Applications using log4j2
|Non-effective exploit scans were discovered by Paradigm Cybersecurity on 12/10/2021. The presence of such scans may indicate active threat exploitation actors.
Potential Impact to Other Organizations
Attackers could exploit public endpoints within an impacted network to compromise machines and use to laterally move undetected within such a network. Attackers could inject data into affected applications that may be used later for exploitation. Paradigm customers are encouraged to evaluate their own usage of log4j impacted versions to determine their own levels of risk and potential exposure.
Advisory Issuer Information
|Senior Database Administrator
|John August Otte
|Chief Information Security Officer
|DATE OF RELEASE:
This Cybersecurity Threat Alert is provided as a courtesy to our customers and Paradigm assumes no liability for its accuracy, impact to customer products, or change in risk severity levels.
Latest Blog Posts
More data automation, less copying and pasting with new catalog build-tools to