If you have been following technology or even mainstream news this week, you’ve probably heard about the Log4j vulnerability (CVE-2021-44228) nicknamed Log4Shell. While dangerous vulnerabilities are not new, the shear prevalence of the affected enterprise software across the internet will tax the already short supply of cyber security professionals even further delaying patch deployments.“
This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN. Big financial firms and health care executives attended the phone briefing. (source: CNN)The Ovrture team was well prepared as we were notified of the disclosed vulnerability via Github’s Dependabot the moment the world learned about it — long before most vulnerability scanners (including one we use, Tenable.io) detected the issue.
We patched our application via an emergency change on Friday, December 10th 2021. We have no indications that the exploit was used against any Ovrture systems prior to our update of Log4j to 2.15.
As always, we regularly scan our application and infrastructure for security vulnerabilities and take appropriate steps when needed to ensure the security of our platform and our client’s data. Like everyone else in this industry, we will always have more work to do to secure our platform and our clients data. That said, we are glad to know that our investments in technical agility have have proven capable of keeping us ahead of issues like these to better serve our clients and partners in the years ahead.
Update December 16, 2021
After writing this update, it was discovered that the Log4j 2.15 patch still left a smaller exposure to a potential DOS attack. Once again, we have tested and deployed updates to our application remediating the known vulnerabilities. This is a good reminder that security work is never done.
Chris leads the Ovrture team in building, maintaining, and enhancing the platform. He also works directly with clients to build systems, drive adoption, and conceive of new use cases. Believing that the application of new thinking is what drives the world forward, Chris takes great pride in bringing a far more efficient and modern approach to the “digital advancement office.”