Menlo’s response to log4j vulnerability (CVE-2021-44228)
Menlo Security is aware of the critical vulnerability affecting the log4j library. We are continuing to monitor the situation and will continue to provide updates where appropriate. For more details, see below and read our KB article here.
Update 2[2021-12-13]
Menlo Security has completed patching log4j in the cloud environment for all nodes that could potentially process untrusted inputs. We are continuing to work on the remainder of low-risk log4j nodes.
As per our previous statement, in the Menlo cloud architecture log4j processes log messages generated by other Menlo modules. The messages do not contain external user-controllable strings. Since log4j is not processing untrusted data, the likelihood of exploitation remains very low. Our security team has not been able to reproduce an exploit even when a user is authenticated.
For premise customers, we are working on an updated version that will contain the patched version of log4j. Since our premise solution mirrors our cloud architecture, all the statements above about the low likelihood of exploitation applies to our premise customers too. Out of an abundance of caution, we are still releasing an updated version.
Update 1[2021-12-10]
Menlo Security has log4j deployed in a small portion of the environment. At this time we do not believe this is easily exploitable within Menlo Security’s implementation and have not seen any evidence of exploitation. We have added additional monitoring and are in the process of patching. If there are any other developments we will provide additional updates where appropriate.
Internal Corporate Applications:
Menlo Security is also reviewing potential impact within our corporate applications and patching where appropriate.
The post Menlo’s response to log4j vulnerability (CVE-2021-44228) appeared first on Menlo Security.
