Coretelligent Updates for the Log4j Vulnerability

****Update for Tuesday, December 21, 2021****

As of 12/21 at 2 pm EST, we completed our initial round of customer server scans. We identified a very small subset of impacted customers and servers. We are actively reaching out to coordinate patching and remediation efforts for those customers.

Our next scanning phase will focus on workstations (these are a lower risk as they are not Internet-facing compared to servers). We will begin workstation scanning for any potential Log4j vulnerabilities and share those results at the end of the week or early next week.

We are continuing to monitor vendor notices and updates and will provide customer updates as the situation continues to develop throughout the holiday.

****Update for Monday, December 20, 2021****

We can confirm that all internal Coretelligent infrastructure has been scanned and found to be not impacted or vulnerable.

We are actively testing our server and endpoint scanning script via Kaseya VSA and will have updated results tomorrow for customer-specific remediation updates.

Customers with CoreArmor Advanced or Enterprise, and customers with SentinelOne Complete, are also being actively scanned and monitored by these solutions. Any items discovered will be reported and remediated.

****Update for Tuesday, December 14, 2021****

This is the latest update regarding the Apache log4j vulnerability that we notified you about earlier this week.

We have been continuing to monitor the situation and wanted to provide an update to keep you well informed. We will provide additional updates via email and at this link as necessary.

At this time, there are no actions required for end-users and we are monitoring and awaiting vendor patches for immediate testing and rollout later this week

For clarification, Coretelligent, nor any of our CoreArmor customers, have been affected by this security issue. The multi-layered security approach we employ offers visibility, prevention, and protection across the board.

If you have any questions, please contact Coretelligent at 1-855-841-5888.

Response Timeline

12/14/21 – Coretelligent is actively engaging in the following actions across all customer environments:

  • Priority 1 – Identification & Scope

We are focused on identifying any internet-facing devices running Log4j and working to upgrade or apply mitigations where possible. To achieve this goal, we are actively scanning all customer servers and workstations for any references to the Log4j package and will notify individual customers if anything is discovered.

  • Priority 2 – Prevention & Blocking:

We are reviewing all customer managed firewalls to ensure IPS blocking rules are in place to protect against external scanning/exploit of this vulnerability against any Internet facing resources that may have the Log4j package present.

  • Priority 3 – New Updates & Developments:

We will continue to monitor all major vendor product advisories for updates or changes and will perform appropriate emergency change management and maintenance activities as needed based upon vendor guidance.

12/13/21 – Coretelligent has been monitoring vendor responses and evaluating scanning tool options for further identifying any Log4j components in customer environments.

12/12/21 – Sent initial communication to customers and provided blog post for incident tracking.

Coretelligent verified that CoreArmor had detection capability in place for the vulnerability and SentinelOne has blocking protections in place to prevent the Log4j vulnerability from being exploited locally.

Compiled initial list of vendor responses and began reviewing publicly available materials around patching and mitigation options.

General Guidance/Resources

Please reference the following government resources on this topic.

Scanning Tools:

The following scanning tools have been released, and Coretelligent is testing and evaluating their effectiveness to assist with further scanning of client environments for any potential vulnerable Log4j installations or embedded components.

Coretelligent Platforms:

At this time, all critical Coretelligent monitoring, management, and authentication platforms are not impacted or have otherwise been mitigated/patched. Sample vendor materials for direct reference below.


Vendor Statements and Advisories:

We have compiled the following list of critical vendor advisories around this vulnerability. The team is monitoring these for vendor updates around patch releases and further mitigation advice.

****Update for Monday, December 13, 2021****

Coretelligent has been actively monitoring an evolving security event since late last week. On December 9th, a remote code execution (RCE) vulnerability in the Java logging library Apache log4j was identified in the wild. Public proof of concept (PoC) code was released, and subsequent analysis revealed active exploitation and scanning activity in the wild on Friday, December 10th, and throughout the weekend.

This vulnerability has been designated as CVE-2021-44228. It is being investigated by many large cloud and software vendors, and it is likely that many products will be found to be vulnerable as more is learned about the flaw over the coming days and weeks. The flaw is extremely easy to exploit and enables attackers to gain complete control of affected servers. The package is widely used in many cloud and web applications, so the potential risk is widespread and significant. Many security experts are comparing this to a flaw from 2017 tied to the Equifax data breach.

The good news is that Apache has released configuration mitigations and an update to address this particular issue. These updates will provide vendors with multiple paths to mitigate, secure, and avoid this exploit moving forward in their products over the coming days and weeks.

Coretelligent is closely monitoring the situation and will proactively update clients about impacted vendors and applications. We will also notify clients about any necessary scheduled emergency maintenance to apply mitigations and patches as they are released and tested by their respective vendors. Currently, there are no actions required for end-users.

CoreArmor clients have additional visibility and protection through the AT&T Cyber Security OTX threat feed. This feed allows Coretelligent to monitor our clients’ infrastructure and environment for activity related to this vulnerability. Additionally, other key security vendors utilized by Coretelligent—including Fortinet and SentinelOne—are aware of this vulnerability and provide detection and blocking capabilities.

Key Coretelligent management and monitoring tools/vendors are not presently impacted at this time, this includes the following:

For clarification, Coretelligent, nor any of our CoreArmor customers, have been affected by this security issue. The multi-layered security approach we employ offers visibility, prevention, and protection across the board.

The following resources are helpful references for tracking vendor vulnerability, response, and ongoing updates:

More information about this event can be found here:

Due to the timing, many vendors will require more time to create, test, and release updates for their products that may leverage this vulnerable software package. We will continue to monitor this situation and provide additional updates at this link. In the meantime, if you have any questions, please contact Coretelligent at 1-855-841-5888.

by
« »

Latest Insights / Articles