All Poppulo systems have been patched and updated to Apache Log4j 2.17.1.
There is no evidence of this vulnerability being exploited within any Poppulo environment.
Posted Jan 17, 2022 - 12:34 GMT
Update
Another vulnerability was found with Apache Log4j 2.17 and update Apache Log4j 2.17.1 was released. Poppulo is planning on upgrading to Apache Log4j 2.17.1 to mitigate against this risk over the coming days. There is no evidence of this vulnerability being exploited within any Poppulo environment. We will continue to monitor our environments on an ongoing basis.
Posted Jan 05, 2022 - 10:06 GMT
Update
Poppulo's production systems are now 100% updated from Apache Log4j 2.16 to Apache Log4j 2.17. There is no evidence of this vulnerability being exploited within any Poppulo environment. We will continue to monitor our environments on an ongoing basis.
Posted Dec 22, 2021 - 16:08 GMT
Monitoring
We have been updating all production systems on Apache Log4j 2.16 to Apache Log4j 2.17 and now have 78% of our systems updated. There remains no evidence to suggest either vulnerability has been exploited within any Poppulo environment.
Posted Dec 20, 2021 - 17:18 GMT
Investigating
Poppulo were alerted to the log4j vulnerability when it was published week of 6th December and subsequently updated all systems to Apache Log4j 2.16. A further vulnerability has been highlighted last week involving a mandatory update to Apache Log4j 2.17.
There has been no evidence of either vulnerability being exploited within any Poppulo environment. Mitigation of all systems to 2.17 began on Friday, December 17th and is estimated to be completed in all our environments within the next 36 hours. We will continue to monitor our environment on an ongoing basis.
1. Is Poppulo aware of the most recently published log4j vulnerability (CVE-2021-45105 / Denial of Service)? Yes. Poppulo subscribes to a number of vulnerability reporting/tracking repositories, and were alerted to and aware of the vulnerability since it was published last week . 2. Is Poppulo leveraging log4j versions which are potentially impacted by the vulnerability? Yes. There are instances of log4j within our environments that are vulnerable to the published exploit. 3. Is Poppulo aware of any actual exploits of the vulnerability in the Poppulo environment? There is no evidence of this vulnerability being exploited within any Poppulo environment. We will continue to monitor our environments on an ongoing basis. 4. Is Poppulo taking steps to patch its environment and to mitigate the risk of exploit? Patches to address the vulnerability are currently being applied to our environments, and is estimated to be completed in all environments within the next 36 hours.