Apache Log4j project disclosed CVE-2021-44228, which is a Critical (CVSS 10.0) remote code execution vulnerability affecting Apache Log4j2 version<= 2.14.1. A subsequent security patch was released on Dec 10, 2021.

We have observed widespread scanning and exploitation of this vulnerability over the internet using a publicly available PoC (Proof of Concept) exploit. TechBento has completed investigating our product line to scope and impact.  We have determined that none of the products we use or our materially significant vendors are impacted.  Additionally, utilization of Log4j does not immediately suggest exploitation is possible. The below table will be utilized to document which products are using vulnerable version(s) of Log4J, and whether they are impacted.

What else are we doing?

Last week we had a soft-launch of Bento Portal, our security assurance software product.  We made the decision today to expedite the delivery of Vendor Management modules which were not slated to be implemented until Q2 of 2022.  While the full module will not be available today, we will launch a limited series of features in preview to help our customers track risks associated with vendors.