RCE Vulnerability CVE-2021-44228 Update from PrecisionLender

December 14, 2021

The Apache Software Foundation has released a security advisory to address a remote code execution (RCE) vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and private and public cloud services. On December 10, Apache released version 2.15.0 to address this vulnerability along with a mitigation for versions greater than or equal to 2.10.

Q2 Response
While the vast majority of Q2 applications do not leverage Java as a programming language, and therefore Apache and log4j is not a prevalent library on the Q2 platform, some 3rd party applications do contain the log4j binary. The log4j library has not been detected as a runtime application and therefore the risk of exploitation remains extremely low. Q2’s Security Incident Response continues to scan all systems and patch remediation is underway. WAF signatures intended to prevent exploitation have been deployed to environments as an additional means of mitigation, this is designed to keep the exploit from crossing the perimeter and into the hosting environments.

PrecisionLender does not use Apache/log4j libraries in its codebase, and the PrecisionLender team is working closely with the larger Q2 organization to ensure alignment with overall response and remediation activities.

In addition to the remediation described above, Q2 practices a defense-in-depth security strategy protect against new vulnerability exploits. This includes endpoint detection and response (EDR), which makes it more difficult to successfully leverage such a vulnerability, and robust monitoring of and response to anomalous actions on our systems that are likely to follow such a vulnerability exploit.

Thank you,

Q2 Security Incident Response