From E-fileWiki
Jump to navigation Jump to search

Fundsquare’s Response to CVE-2021-44228 Apache Log4j

Updated 27 January 2022 12:00 CET (GMT+1).

We will continue to update this page as more information becomes available.

On 9 December 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j being referred to as “Log4Shell”. This vulnerability has been classified as “Critical” with a CVSS score of 10, allowing for Remote Code Execution with system-level privileges. Apache Log4j is java software widely used by many companies for logging purposes. It is often included or bundled with third-party software packages. This vulnerability exists in Log4j versions 2.0 through 2.14 and if exploited, allows an attacker the ability to remotely access and control systems where the software resides.

Current Situation:

The security of Fundsquare’s products (available on e-file.lu and fundsquare.net) and our customer’s safety is a top priority. In response to this vulnerability, Fundsquare has taken immediate action to proactively address any critical vulnerability affecting our products and solutions containing the Log4j software library.

Upon notification of the Log4j vulnerability report our Security Team initiated investigations in accordance with our incident response processes. Fundsquare followed the guidance issued to all Log4j customers in addition to following our internal processes for investigation, forensics analysis, and threat mitigation. Fundsquare will continue to remain vigilant regarding all aspects of this challenging and evolving situation.

At this time, there have been no successful exploits observed in Fundsquare products, solutions or in the Fundsquare environment. This page will be updated on an ongoing basis to reflect most current status.

We put the correct remediation and mitigation actions in place and closely monitoring the systems/network. As the situation still can evolve, we cannot consider the remediation of the vulnerability has been finished. Currently, all possible actions are in place to stay protected against the Log4J threat.

Fundsquare also plans to provide answers to common questions on this webpage. It should be considered the single source of current, up-to-date, authorized, and accurate information from Fundsquare.

Frequently Asked Questions

  • Are Fundsquare products affected by the Log4j vulnerability? Which Products were affected?
    The moment we received an alert, our security team immediately took the necessary action to analyse the impact of this finding over our organization and solutions. Patching of potentially impacted components has started and we follow the guidelines of experts to mitigate the risk and vulnerability caused by this security issue.
  • What remediation actions have been taken?
    All Fundsquare products, software and infrastructure are being evaluated and countermeasures have been or are going to be implemented for protection.
  • Will this incident impact or interrupt the delivery of Fundsquare products and services?
    At this time, we are not anticipating any service disruptions for any Fundsquare products or services.
  • What is the impact to Fundsquare’s business?
    There is no impact to Fundsquare’s business at this time.
  • How does Fundsquare protect its environment from potentially affected software?
    Generally, Fundsquare does not disclose the details of its Cyber Security program. In response to this vulnerability, Fundsquare has followed the recommendations from Apache and local Cybersecurity and Infrastructure Agencies. These actions also include patching and increased monitoring. Our security team and partners work hard to protect Fundsquare.
  • Is an update of e-file.lu and its components required?
    The advantage of e-file.lu is its deployment online through our website. In case of a required update due to a patch, we can manage this update from our back end and the next time you load the page, the patched version will be loaded. This would also be the case for the transmission module that constantly checks for updates when you launch it.
  • Is the Sending Service impacted?
    The Sending Service does not use the impacted library version. As a consequence no action is required from our end or your end. To be even more specific, we use an alternative version of Log4j 1.X which has been furnished by Atlassian and which does not contain this vulnerability. https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-s-Response-to-Log4j-CVE-2021-44228/ba-p/1886598
  • Have Fundsquare’s suppliers and vendors been impacted by Log4j vulnerability?
    Fundsquare is engaging with our supply chain to determine if any suppliers or vendors were impacted by this vulnerability.

Should you require additional information, please do not hesitate to contact our Client Service and Operations Desk at cso.desk@fundsquare.net