Information Security

 View Only
Expand all | Collapse all

Log4J Vulnerability

  • 1.  Log4J Vulnerability

    Posted 12-12-2021 03:25 PM
    Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

  • 2.  RE: Log4J Vulnerability

    Posted 12-15-2021 08:20 AM
    Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

    I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.


    Shelly Chase
    Senior Risk Analyst Officer

  • 3.  RE: Log4J Vulnerability

    Posted 12-15-2021 08:27 AM
    Good Morning Shelly,

    Fannie Mae is aggressively assessing our internal and external impacts to the Log4j event.  If you would like information on the status of our efforts for this cyber event, or future events, please email us at [Email removed by Community Manager for privacy reasons. Message the community member directly for email].  As is typical, we have a standard message at the ready that we are happy to share.  



    Heather Flewallen
    Director, Third Party Risk Management
    Fannie Mae

  • 4.  RE: Log4J Vulnerability

    Posted 12-15-2021 08:52 AM
    Thanks so much Heather- that is extremely helpful!


    Shelly Chase
    Senior Risk Analyst Officer

  • 5.  RE: Log4J Vulnerability

    Posted 12-15-2021 09:04 AM
    At FHLB SF, weekend was internally focused on identification/assessment and patching.  Monday was Vendor focus on all Critical and High IT services providers.   Impact assessment and mitigation questionnaire sent, ~75% response rate so far of those about a 1/3 not impacted at all, 2/3 patch deployed, and 1/3 still assessing impact but at the moment no impact.

    Many of the vendors declined the questionnaire and provided canned response and the big guys like Workday, Oracle, etc.. sent us to their public Log4j Security Blog page for assessment and continued updates. 

    Hope this helps

    - Dave

  • 6.  RE: Log4J Vulnerability

    Posted 12-17-2021 03:53 PM
    are you willing to share your questionnaire that you sent out?

  • 7.  RE: Log4J Vulnerability

    Posted 12-17-2021 04:51 PM

    Ashley –

    If you send a note to security-compliance AT Infoblox DOT com, I can send you a copy of the email message we are using to contact downstream vendors.  KW


    Kate Wakefield CISSP, CIPT, CRISC

    Sr. Manager Security Compliance

    Logo  Description automatically generated with low confidence




  • 8.  RE: Log4J Vulnerability

    This message was posted by a user wishing to remain anonymous
    Posted 12-15-2021 09:51 AM
    This message was posted by a user wishing to remain anonymous

    Would someone be willing to share a basic questionnaire that we can send out to our vendors?

  • 9.  RE: Log4J Vulnerability

    Posted 12-17-2021 03:40 PM
    Shared Assessments has developed a scoping tool that might be helpful if you are looking for a template.

    Log4j Vulnerability Resources - Shared Assessments

    We approached it with a very broad request versus a questionnaire.


    Shelly Chase
    Senior Risk Analyst Officer

  • 10.  RE: Log4J Vulnerability

    Posted 12-21-2021 03:56 PM
    For anyone who sends out questionnaires to vendors for situations like this, do you see a lot of response to the questions?  The vendors that we are reaching out to have access to PII / are critical and high risk and in my experience, they almost never respond to the questions, but instead provide a blanket statement.  I'd be interested in finding out if others have any luck with the questionnaire-type response.

  • 11.  RE: Log4J Vulnerability

    Posted 12-21-2021 04:19 PM
    Hi - 

    Like most of us here, we have a large vendor pool so we had to limit the questionnaire to our high / medium risk vendors in specific industries (Healthcare, Financial, SaaS, etc). To make sure that we are not adding additional work on our vendors plate during a time as such, we took a tiered approach with our Log4J questionnaire. Parent question asked if they had been impacted (Y/N), If No = questionnaire is over and we thank them for completing the questionnaire. If Yes, we only ask two additional questions. 

    While I am sure most of us in this community are taking this approach, we have found that this has worked for us with a high return rate. So far, we have achieved a 56% completion rate and expected to have the rest of our vendor population completed in the next couple days. 

    Even though we have had a high completion rate, it goes without saying that we did receive a handful of canned responses or links to our site and will just use that information to complete our internal process so it can all be recorded.


  • 12.  RE: Log4J Vulnerability

    Posted 12-15-2021 10:07 AM
    Passing this link for GitHub on as this is always helpful information

    GitHub - cisagov/log4j-affected-db


    Shelly Chase
    Senior Risk Analyst Officer

  • 13.  RE: Log4J Vulnerability

    Posted 12-15-2021 10:26 AM
    This is very helpful, thank you!

    Sheila Freyou

    Director, Vendor Management
    Celebrity Home Loans, LLC

  • 14.  RE: Log4J Vulnerability

    Posted 12-17-2021 05:31 PM
    Looking forward, we are looking at the use of things like this open-source logging library. The major problem with Log4J is that it suffers from code bloat. This was all done to support just grabbing this library and using it for all your logging needs. It really has not been well maintained nor has it undergone a security code scrub to look for exploitable vulnerabilities. I do not want you to think that I am necessarily knocking the Apache org for this because all-in-all the community takes pretty good care of the code and code libraries. 

    The really good news here is that there have been no instances or exploits that might pollute the supply chain (aka SolarWinds). This is why it has been fairly quiet on the TPRM front. And there are now several groups taking a hard long look which led to the realization that there are things in vers. 2.15 that need to be fixed. And that there is a vers. 2.16 that fixes these issues. 

    We have the happy task of not just responding to all our customers while we address this issues in our products but also looking for the library in the products and services we resell. It will take a while to reconcile all this. 

    So, on our end, we are making changes to our open-source use processes to pare down these libraries to just what is needed and nothing else. Also, to add testing for these kinds of vulnerabilities.

  • 15.  RE: Log4J Vulnerability

    Posted 12-20-2021 09:16 AM

    Thank you Mark.


    It appears this vulnerability has evolved once again.  

    Please upgrade to log4j version 2.17


    After Apache Log4j v2.15, the first new vulnerability, 45046, came as a result of an incomplete fix in Apache version 2.15, and allows the attacker to take control over the Threat Context Map input data. The latest vulnerability, 45105, is due to a lack of protection from uncontrolled recursions in Apache log4j version 2.16. Log4j version 2.17 has been released in which these issues are currently resolved.



    CVE-45046 -

    CVE-45105 -



    Larry Timmins

    Senior Technical Project Lead, PMP
    Information Technology


    on behalf of EmPRO Insurance Company