Apache Log4j Utility Vulnerability
HSI examined all proprietary applications, and determined there was no direct implementation of Log4j in use. During the course of the investigation process, a small number of secondary applications that leverage Log4j were identified, but these applications were limited to non-production functions and as such posed low risk of system compromise as they were not publicly accessible. All identified applications have now been updated to include the published remediation for CVE-2021-44228, or vendor-supported mitigation steps have been applied. HSI Continues to monitor vendors and third-party service providers for any additional updates they provide regarding investigation, mitigation, or any other updates.
At this time, there is no identified direct implementation of the Log4j utility in use by any HSI application. On December 9th, Apache disclosed information about a critical vulnerability in the Log4j utility. HSI has been reviewing all proprietary applications for any use of the Log4j utility. HSI is currently communicating with all vendors and third-party service providers to verify any tertiary use of Log4j, and tracking responses and remediation status where relevant. We will keep you updated in the event we detect any issues.