Apache Log4j is a universal, open-source Java library that developers use to keep a record of activity within an application. On December 9, 2021, security researchers published details regarding a vulnerability in Apache Log4j on all versions from 2.0-beta9 to 2.14.1 that can lead to remote code execution (RCE). On December 10, Apache released version 2.15.0 to address and mitigate this vulnerability for versions at or after 2.10. Notably, this vulnerability was rated a 10 on a scale of 1 to 10 by the Apache Software Foundation, which oversees the software development.
TRI-AD has reviewed its usage of Log4j in its customer-facing environments and has determined we are not using a vulnerable version of Log4j. We will continue to review our internal and third-party applications and work with our partners as they inform us of any remediation required.
Actions that TRI-AD Has Taken:
TRI-AD has multiple layers of protection in place against this threat, including real-time monitoring for indicators of compromise and alerts for attempts to exploit this vulnerability. At this time, we have not detected any suspicious activity in our environment related to Log4j.
Actions TRI-AD’s Clients Need to Take:
TRI-AD recommends that clients follow the guidance provided by Apache and the U.S. Government’s Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) and upgrade to version 2.15.0 immediately. Please see the following:
TRI-AD and our Associates’ suggestions or recommendations shall not constitute legal advice. No content on our website can be construed as tax or legal advice and TRI-AD may not be considered your legal counsel or tax advisor. Clients are encouraged to consult with their tax advisor and/or attorney to determine their legal rights, responsibilities, and liabilities. This includes the interpretation of any statute or regulation, federal, state, or local; and/or its application to the clients’ business activities.