LOG4J Vulnerability


Consolidated Analytics has completed a comprehensive audit of its systems including the web platform, third-party application, and the command-line tool.  Based on the audit, Consolidated Analytics is not impacted by the Apache Log4j vulnerabilities identified as CVE-2021-44228 and CVE-2021-45046.

We have observed no indications that any customer data has been compromised and remain vigilant to any events related to log4j exploits.

Immediately following the release of information about the zero-day in Log4j, Consolidated Analytics launched several simultaneous actions coordinated by the security team:

  1. Security incident response teams increased scrutiny of any indicators that may be related to Log4j attacks.
  2. Information Technology Infrastructure teams began patching services that were known to be using vulnerable versions of Log4j.
  3. Security and operations teams began utilizing several overlapping scanning techniques to look for exploitable servers across all of our servers, starting with externally-facing and continuing to those in our private networks.
  4. Security teams began using several overlapping tools and techniques to determine all services that utilize vulnerable versions of Log4j.

To remediate any risks discovered, we have used a combination of techniques. Ultimately, we will patch all services using Log4j to the latest version, but for expediency, in some cases, we have rendered the services unexploitable by removing certain classes and changing configurations.

If you have any questions or concerns, please do not hesitate to reach out to us at infosec@ca-usa.com.