Over the weekend you may have seen media about a globally wide-reaching Apache Log4j java logging library vulnerability that is actively being exploited across IT environments.
Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. It is the method that many applications rely on to give out information about everything that goes on during the software execution to other applications or systems.
Given the listed severity of this security incident, we have been actively engaged in mitigation and have taken a risk-based approach, initially focused on those systems that are accessible to the internet.
At this point in time, we have no evidence of an exploit of any of Smartly's internal systems and can confirm that Smartly products are unaffected by this global issue.
However, for your other platforms and products, please use the following advice as a guide to address the vulnerability and its impacts in specific environments.
Advice to customers
As this scenario is evolving and elements are likely to change over time the following guidance remains good practice:
- Monitor your anti-virus vendors for updates and install them as they are made available.
- Ensure that user education is current and that users are aware to be on heightened alert for emails that try to trick them into clicking links and providing information. It's likely that successful exploits will not be used immediately, as threat actors seek to gain access to many systems as they can before they are patched.
- Review your incident response process and your ransomware response playbook if you have one as a precaution.
Vendors will release patches over time, however it is important to be aware that while Apache themselves have released a patch, it is only effective for organisations that are running specific Apache software. In most cases this patch will need to be added to a larger application and that software will be released with an update.