On December 9th, 2021, Apache confirmed a serious vulnerability impacting the widely used Java library Apache Log4j. Successful exploitation of this vulnerability may allow for arbitrary code execution of systems and services that use the Java logging library. Since then, vulnerabilities have been found in subsequent patches which required further remediation.
Each organization has the responsibility to ensure products they are bringing to market are secure. LogicGate, like many other organizations, has had to perform emergency remediation processes to promptly implement patches as they become available. However, securing your own product is only part of the equation.
For organizations with supporting vendors or data sub-processors, there may be the additional need to perform some level of third-party due diligence to mitigate any supply chain risk introduced by this vulnerability. In other words, how do you know if the vendors you rely on are responding appropriately?
To assess third-party risk as it relates to the recent Log4j vulnerabilities, consider asking your vendors or subcontractors some or all of the below questions.
A Recommended List of Third-Party Questions:
- Does the third-party service or product use Apache Log4j in their environment?
- What is the third party’s assessment of the vulnerability impact?
- What is the third party’s current remediation status for any impacted applications?
- Has the third party upgraded to the latest available version of Log4j?
- If the third party provides software to your organization, are there any specific actions (e.g., required updates or configuration changes) that our organization needs to take to ensure the vulnerability has been addressed or remediated within our environment?
- How is the third party assessing third-party risk impact? Has the third party assessed the vendors and subcontractors that they are using?
When relevant third parties are too numerous and complicated to assess using manual means, LogicGate offers a Third-Party Compromise Assessment Application that helps automate the information gathering process. For more guidance on detection and remediation steps, visit the Cybersecurity & Infrastructure Security Agency’s Log4j Vulnerability Guidance page. To learn more about the LogicGate team’s response, visit this page.