Lunavi Response to Log4j Vulnerability

On Friday, December 10, 2021 the vulnerability CVE-2021-44228 -- commonly referred to as log4j -- was initially published and Lunavi initiated its emergency response plan. Shortly after the initial release additional vulnerabilities were identified: (CVE-2021-45046) on December 14th and (CVE-2021-45105) on December 18th.  

Since these initial releases, multiple bad actors have begun to focus their efforts on this evolving threat, which is expected to be given the highest CVSS score of 10. The extent to which the affected Java-based software is integrated into everyday technologies and platforms is still being discovered and released daily.

Lunavi has completed an initial assessment of all systems, vendors, and related technologies. We will continue to review and monitor all systems as more information continues to be released. We have already taken proactive actions and executed emergency procedures to implement vendor-related workarounds and/or patches if available and removed systems from the network that could not be immediately remediated.

We will continue to communicate with our vendors, monitor the situation, and be prepared to execute any additional updates that may be released or take further remediation action upon relevant information being released.

Additional information related to this vulnerability can be found by visiting the following sites:

• https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
• https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://logging.apache.org/log4j/2.x/security.html  

If you have any additional questions, please do not hesitate to contact our support department support@lunavi.com.