As you probably are aware of a severe vulnerability called Log4shell has been detected in the Log4j software component. This poses a severe threat to any organization utilizing the software, we therefore kindly asking you to provide us with information about the exposure of your application/service to the vulnerability, which steps that has been taken, and any recommended actions to mitigate the risk for the application/service you are providing. All answers will be treated as strictly confidential, we also understand that it can be complex to answer this questions, we therefore understand that the result from any initial assessment can differ from more detailed analysis performed later. Any findings contractionary to an initial answer is welcomed as complementary information.
- Is your application java-based or uses java based component(s)?
- Does it use the Log4j? If so, is a vulnerable version of Log4j used, currently vulnerable versions are log4j-core versions >=2.0-beta9 and <=2.16.0, any 1.x version could potentially also be exposed
- Which actions has been taken to validate that your application/service isn’t exposed to the vulnerability
If you have detected that your application/service is exposed to the vulnerability which actions has been taken to mitigate the risk
For software providers:
- When is an updated version of your software provided
- Is there any fix that can be applied to mitigate the risk, e.g. can the log4j file be deleted from the software package?
- Do you have any other mitigating actions recommended
For Cloud Service Providers – SaaS Services
- Which actions has been taken to mitigate the risk
- When is the vulnerable component expected to be replaced