Updated: Notice of critical vulnerability in Apache Log4j

Update - 17/12/2021

Following the identification on Friday 10th December of a major vulnerability in a common Java logging tool, Apache Log4j, MHR has continued its efforts to confirm that we have not been affected by the vulnerability.

All investigations to date have concluded that MHR has not been affected and that there is no risk to customer products, services or data.

We can confirm that the following MHR hosted products are not affected:

• iTrent and associated interfaces (e.g. Penserver) – Log4j is not used by the software
• Document Logistix – Log4j is not used by the software
• People First  – Log4j is not used by the software
• MCR – Log4j is not used by the software
• Talksuite  – Log4j is not used by the software
• Learning Management System (Docebo) - Log4j is not used by the software
• SAP Analytics Cloud - Log4j is not used by the software
• Business Objects – Log4j is used to some extent, but only the Log4j-api module and not the vulnerable log4j-core module
• Pension Data Services - Log4j is used in the supporting SAP Data Services, but not the vulnerable component.

MHR identified a small number of third-party products using the vulnerable software, but security controls were in place to mitigate any potential risk.

• It was identified that the third-party, customer SFTP service was using the vulnerable software, which was updated immediately. There is no risk to this service, however, as it is IP restricted to MHR customers only and so could not have been exploited by malicious actors from the Internet.
• It was identified that the third-party Enable Now service was using the vulnerable software, which we are still waiting on a patch from SAP. There is no risk to this service, however, as security controls are in place on the firewall to mitigate the risk of this vulnerability, as the service is prevented from making outbound connections to the Internet. As a precautionary measure, MHR have implemented an additional firewall rule to block any inbound attempts to exploit this vulnerability.
• It was identified that the third-party IBM Planning Analytics Workspace service was using the vulnerable software. There is no risk to this service, however, as security controls are in place on the firewall to mitigate the risk of this vulnerability, as the service is prevented from making outbound connections to the Internet. As a precautionary measure, MHR have implemented an additional firewall rule to block any inbound attempts to exploit this vulnerability. The latest patch for this service is being applied to the hosted environment.

MHR’s customer products and services are monitored 24/7 by a leading managed security provider. They are monitoring inbound and outbound firewall and DNS logs for known malicious IPs and domains, and we are monitoring for outbound LDAP connections not seen before. They have identified several, random attempts to exploit this vulnerability, which were immediately blocked by the security controls in place. They have not identified any indication that MHR has been affected by this vulnerability in any way.

We will continue to monitor our systems and stay abreast of any changes to the global situation regarding the Log4j vulnerability.

Please note: we are aware that the details of the vulnerability have changed several times since its disclosure, including that the fix for the initial vulnerability in version 2.15.0 introduced a further vulnerability (CVE-2021-45046) and that version 1.x is also vulnerable to some extent. This new information has been taken into consideration as part of our investigations and has not changed our original conclusions.

-

Update: 14/12/2021

Following the identification on Friday 10th December of a major vulnerability in a common Java logging tool, Apache Log4j, MHR has continued its efforts to confirm that we have not been affected by the vulnerability. All investigations to date have concluded that MHR has not been affected and there is no risk to customer products, services or data.

We can confirm that the following MHR products do not use the vulnerable Log4j software and have not been affected:

• iTrent and associated interfaces (e.g. Penserver)
• Business Objects
• Document Manager
• People First
• MCR
• Talksuite
• Docebo
• Pension Data Service

MHR has identified a small number of third-party products using the vulnerable software, but security controls were in place to mitigate any potential risk.

It was identified that the third-party, customer SFTP service was using the vulnerable software, which was updated immediately. There is no risk to this service, however, as it is IP restricted to MHR customers only and so could not have been exploited by malicious actors from the Internet.

It was also identified that the third-party Enable Now service was using the vulnerable software, which we are still waiting on a patch from SAP. There is no risk to this service, however, as security controls are in place on the firewall to mitigate the risk of this vulnerability, as the service is prevented from making outbound connections to the Internet. As a precautionary measure, MHR have implemented an additional firewall rule to block any inbound attempts to exploit this vulnerability.

MHR’s customer products and services are monitored 24/7 by a leading managed security provider. They have identified several, random attempts to exploit this vulnerability, which were immediately blocked by the security controls in place. They have not identified any indication that MHR has been affected by this vulnerability in any way.

We will continue to monitor our systems and stay abreast of any changes to the global situation regarding the Log4j vulnerability.

- Andrew Watson, CTO at MHR.

-

Update: 13/12/2021

The announcement regarding this vulnerability was very concerning and MHR can assure all of its customers that as soon as the vulnerability was announced, immediate action was taken to verify if there was any risk to MHR’s products, services, and customer data and ensure all possible mitigations were in place and effective.  We can confirm that MHR’s primary products do not use Apache Log4j and therefore there is no risk of this vulnerability within these products.

In addition, initial investigations indicate that none of MHR’s internal business systems have been negatively affected by this vulnerability and while a small subset of third-party software has been identified as potentially vulnerable, the controls around the solutions prevent internet access and thereby prevent malicious actors aligned to this vulnerability.  Action is now being taken to update this third-party software immediately.  Further mitigations are also being implemented across all firewalls to further ensure the vulnerability could not be exploited in the extremely unlikely event of the controls being circumvented.

In-depth investigations will continue to check that no other systems have been affected, including contacting all suppliers to confirm their systems have not been affected either.

Regular updates on the status of the investigations will be provided through the website and through the customer service portal. Customers with any concerns should contact the MHR team here.

- Andrew Watson, CTO at MHR.