EI and Log4J
Updated December 12, 2021
EI has been reviewing its systems including web platform, APIs, and network infrastructure. EI has established that EI is not vulnerable to CVE-2021-44228 and CVE-2021-45046 Apache Log4J vulnerabilities. EI does not utilize Apache servers to deliver any of its services. EI has identified a couple internal systems that were vulnerable to Log4J and the fixes have been applied (detailed below).
EI identified an internal Java based system (Ubiquiti Unifi Network Controller) utilized in satellite offices to manage Wifi configurations as being vulnerable to Log4J. These controllers have been updated to 6.5.55 which the vendor supplied to fix the vulnerability. EI has been monitoring outbound traffic for LDAP connections. Ubiquiti Statement - https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207 - https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1
EI identified Vmware vCenter Server 6.7 as a vulnerable system which utilizes Log4J. EI has applied the resolution instructions in the Vmware workaround for CVE-2021-44228 - https://kb.vmware.com/s/article/87081.
EI is continuously monitoring the situation for further updates as the situation unfolds.
If you have any questions or concerns please reach out to sgoode@ei1.com.