PelicanCorp SaaS - Log4j Zero-Day Vulnerability “CVE-2021-44228”

On Friday December 10th, PelicanCorp along with many other companies, became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in a variety of systems on the internet. We immediately created a security incident and various teams have been actively taking steps to mitigate and monitor the situation.

PelicanCorp’s SaaS platform does not make extensive use of Java. However, in services and components where we identified use of this library, the vulnerability did not appear exploitable or we are running a current version that is not impacted by this exploit.

PelicanCorp business systems that leveraged the Log4j library version, and that required mitigation in order to avoid the log4j zero-day vulnerability, were upgraded by end of day Tuesday, 14th December 2021.

PelicanCorp’s network and firewall architecture limits the ability of this exploit to be successful, and we have added additional steps at our network layer to reduce the possibility of exploitation.

We continue to monitor for attempts by threat actors to attempt the exploit.

We will continue to coordinate with our sub-processors, including AWS and Azure, and other associated 3rd parties, to determine impacts to their environments and services as well, and we will continue to take action on any updates required as we learn of them.

PelicanCorp SaaS

Our teams will continue to monitor for impacts on sub-processor or dependent systems, but we have updated all known areas of impact to our SaaS offering and we are continuing to monitor all PelicanCorp services and environments. At this time PelicanCorp SaaS customers do not need to take any additional action for their use of PelicanCorp's SaaS environment.

Please contact our support team (This email address is being protected from spambots. You need JavaScript enabled to view it.) if you have any further questions.

Referenced Resources

We are using the following resources to ensure we are taking appropriate measures based on any regional requirements.

• CISA Apache Log4j Vulnerability Guidance : https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
• New Zealand Computer Emergency Response Team’s Advisory : https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
• Canadian Centre for Cyber Security Alert : https://cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability
• United Kingdom National Cyber Security Centre Alert : https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
• Australian Cyber Security Centre Alert : https://www.cyber.gov.au/acsc/view-all-content/alerts/critical-remote-code-execution-vulnerability-found-apache-log4j2-library

UPDATED: 16 DECEMBER 2021