Posted on 16 December, 2021
Dear Customers and Partners,
You may have heard in the news that there has been a recent discovery of a zero-day vulnerability named “Apache Log4j Remote Code Execution”, also known as “Logjshell”.
Essentially the vulnerability could potentially allow an unauthorised user to gain access to a system, prior to authentication. For that reason, the vulnerability potentially has serious consequences and is therefore considered a high-security risk.
For more details, you can view the security log for Apache here: https://logging.apache.org/log4j/2.x/security.html
Also, the below links will take you to the National Cyber Security Centre’s pages on this issue here:
Boston strongly recommends customers take immediate precautions against this vulnerability by patching affected products to the update Log4j2 version 2.15.0.
We further suggest following industry best practices including those published by Apache (Apache Log4j Remote Code Execution) and seek industry qualified, technical advice prior to taking such actions.
Some customers may be understandably concerned that there could be Log4j exposure within their infrastructure which Boston has supplied. Subsequently, our team has been working hard to check in with our vendors and customers this in-depth.
Our partner Supermicro has already released the below statement regarding an affected software package which they supply - Supermicro Power Manager (SPM) - www.supermicro.com/en/support/security/Apache_log4j2
So far, we believe may be the primary (possibly only) product affected in this case but please do check your own products and infrastructure carefully.
Boston will continue to review and assess the Log4j vulnerability, and we will update this page with further information as and when it becomes relevant to do so.
If you have any enquiries or would like to talk to our team, you can call us on 01727 876100 or email [email protected].
This advice is not representative of any specific situation and is intended as general notification only. All users of this information should acquire industry certified advice for their specific environment and technology products before taking action. Boston Limited shall in no way be liable for any compensation derived from or related to any information contained within this page, or actions that any users take based on this information. This is including but is not limited to: direct, indirect and/or consequential losses. This notification is applied to the extent permissible under UK law.