On December 9th 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j being referred to as “Log4Shell”. This vulnerability has been classified as “Critical” with a CVSS score of 10, allowing for Remote Code Execution with system-level privileges.
When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker. Any device exploited should be considered compromised, potentially along with any devices that trusted the compromised device.
Our Commitment to Security
eMarketeer identified the affected components and are updating them no later than 15 December 2021. All components are services running backend tasks, without no interface towards internet. There is no evidence of compromise at this time and we have updated our Web Application Firewall (WAF) to block Log4JRCE request to as an additional layer of defense,