ISACA Community,
In the past week, you’ve likely seen multiple headlines about a new major security vulnerability. Log4j is an open-source logging framework built on Java coding language that is used by approximately one-third of all webservers. On 9 December, a flaw in the code was discovered and rated a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) due to its possible impact.
We have confirmed that the ISACA platform is NOT affected by the Log4Shell vulnerability or any of its components.
However, because this is a very commonly used java-based software that attackers can use to gain a foothold via vendor software or services, we have been checking the status of our vendors’ patching activity and will continue tracking this issue until it has been remediated.
Below are three resources you might find helpful in learning more about this vulnerability:
- ISACA Now blog: http://xhrj.yutb.net/resources/news-and-trends/isaca-now-blog/2021/log4shell-vulnerability-highlights-critical-need-for-improved-detection-and-response
- ISACA Live video discussion: http://www.youtube.com/watch?v=KzcOBx3_Sgk
- Guidance from the US Cybersecurity and Infrastructure Agency (CISA): http://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
Scott Reynolds
Senior Director, Enterprise Cybersecurity