How is Notarius handling the Log4j vulnerability?
On December 10, 2021, details emerged about a critical remote code execution vulnerability in Apache Log4j, assigned as CVE-2021-44228. Notarius has assessed this vulnerability and determined that it cannot be exploited on any of its products and solutions (CertifiO, CertifiO Manager, EESP, ConsignO Desktop, ConsignO Cloud, ConsignO Server, VerifiO, Hosted HSM, Hosted VDS and related APIs for all products).
As an abundance of precaution, we have also taken the following measures:
- December 10: Updated our Web Application Firewalls (WAFs) to filter out any suspicious request that could be exploited through the Log4j vulnerability
- December 10: Confirmed that none of our logs since December 3rd received a suspicious payload
- December 13: Updated ConsignO Cloud with the latest version of Log4j
- December 14: Updated CertifiO Manager and the CertifiO Suite
Even though the vulnerability cannot be exploited on our products, we are committing to update to the latest version of Log4j all services and software packages before December 16th at 10 pm EST. This page will be updated with our progress until then.