Keystone Systems continues our analysis of the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) disclosed via GitHub on 9 Dec 2021. As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we want to relay our current standing, mitigation of, and continued diligence to defend against this and other potential attacks.
In addition to monitoring the threat landscape for attacks and developing customer protections, our operations team has been analyzing our products and services to understand where Apache Log4j may be used, and are taking expedited steps to mitigate any instances. Currently, we have identified one piece of software core to the KLAS application that was vulnerable. The vendor that produces the software identified has provided mitigation steps for the Log4j threat, and those actions have been put into place in Keystone’s hosting environment. For Keystone’s self-hosted customers, if your IT has allowed us access to your system, we are rolling out this action as well.
If your IT department has questions, or for self-hosted customers that would like to apply the correction themselves, please don’t hesitate to contact Keystone. If you are interested in the technical details for the affected software, please see the vendor’s security report.
As always Keystone will continue to utilize industry best practices to keep your databases as safe as possible. Those practices include daily network and penetration scanning, enterprise class anti-virus software, daily malware scanning, and a dedicated patching schedule. If you, or your IT department, have any questions about Keystone’s security practices please submit a request for our annual SSAE SOC II audit report.
Thank you,
Lee Higley
IT Manager
Keystone Systems
 
               
         
  