Log4j is an open source Java-based logging tool and is an important component of software development. Logging is a process where applications keep a running list of activities they have performed which can later be reviewed in case of error. Nearly every network security system runs some kind of logging process, which gives popular libraries like Log4j an enormous reach.
The vulnerability is also dubbed as Log4Shell and could allow attackers to have uncontrolled access to computer systems. The Log4j tool is widely used by organizations across the world and has resulted in several government agencies to issue warnings on the potential impact of the vulnerability.
The Diligent security team has been working to mitigate the risk to our own computer systems and to protect customer information and data.
To date, we have reviewed the impact of the Log4j vulnerability across its application code repository and confirmed that no Log4j is in use within our production codes.
Additionally, Diligent's Security Operations team, in working with its managed security service provider CrowdStrike on Friday afternoon, setup an active alert should any Log4j related activity be detected on Diligent's network. Diligent has not seen any suspicious activity related to Log4j.
The security team is actively monitoring the situation and will provide updates as the situation changes.
Third Party Applications:
In addition to the impact analysis performed on Diligent application codes, we are also actively working with other third party vendors to determine if the vulnerability affects their products. Diligent has applied applicable security patches to the affected 3rd party systems and will continue to do so when additional vendor provided patches become available.