Fusion’s Response to Log4j
Last Updated Dec 16th 3:00 pm GMT
Patch for Talos was released on 14th December. On-premise customers have been contacted to support remediation. Cloud customers and instances are being patched and migrated. Estimated time to completion 17th December 2021.
On the morning of Friday December 10th a new exploit was reported in a widely used logging element of the Apache logging framework called “Log4j”. This much reported vulnerability, which is already being widely exploited by a growing set of threat actors, can be trivially exploited with no elevated permissions and poses a significant risk to a wide range of applications in use across modern enterprises.
What Fusion GBS is doing to combat security threats?
Fusion Global Business Solutions is treating this issue with the utmost seriousness. As soon as we received intelligence of the Log4j vulnerability (CVE-2021-44228) our security and support teams initiated investigations to ensure our systems are protected. Via a comprehensive review and impact assessment, we have identified a number of systems that are potentially vulnerable and are prioritising patching and update efforts to provide protection. Fusion is continuing to patch or mitigate as vulnerable configurations are identified.
As of December 13th, 2021, Fusion has observed no indicators of compromise in our own environments. We will continue to work with customers to support their mitigation efforts, and have reached out to our third-party suppliers providing critical Fusion services to determine thiir impact and status of remediation and patching activities.
The security of our systems and those of our customers is our top priority and crucial to our ongoing commitment of transparency and trust for our customers. Fusion continues to monitor information and guidance provided by the NCSC, CISA, internal and external threat intelligence and vendors for new information. We will continue to take any prompt action as necessary.
Useful Links (external sites)
- National Cyber Security Centre Alert (UK)
- Cybersecurity & Infrastructure Security Agency (US)
- CVE Detail (mitre.org)
- CVE Detail (NIST)
Software developed by Fusion GBS (eBonding, Talos, Agility Suite) has been reviewed by the Fusion engineering team:
- Agility Suite: not affected
- eBonding: not affected
- Talos: affected – patch available and in deployment with existing Talos instances
External Software Vendor Links
- BMC Security Advisory
- Automation Anywhere (Community Post)
- Logic Monitor
- Tekwurx uControl
We await vendor information from Ucontrol, Kore.ai, and RRR (License Analyzer) and will update this post with more information when available.