Project Description

December 14, 2021

Patching Log4Shell

If you have been following technology or even mainstream news this week, you’ve probably heard about the Log4j vulnerability (CVE-2021-44228) nicknamed Log4Shell. While dangerous vulnerabilities are not new, the shear prevalence of the affected enterprise software across the internet will tax the already short supply of cyber security professionals even further delaying patch deployments.

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN. Big financial firms and health care executives attended the phone briefing. (source: CNN )

The Ovrture team was well prepared as we were notified of the disclosed vulnerability via Github’s Dependabot the moment the world learned about it — long before most vulnerability scanners (including one we use, Tenable.io) detected the issue. We patched our application via an emergency change on Friday, December 10th 2021. We have no indications that the exploit was used against any Ovrture systems prior to our update of Log4j to 2.15.

As always, we regularly scan our application and infrastructure for security vulnerabilities and take appropriate steps when needed to ensure the security of our platform and our client’s data.

Like everyone else in this industry, we will always have more work to do to secure our platform and our clients data. That said, we are glad to know that our investments in technical agility have have proven capable of keeping us ahead of issues like these to better serve our clients and partners in the years ahead.

Onward,
Chris

Update December 16, 2021

After writing this update, it was discovered that the Log4j 2.15 patch still left a smaller exposure to a potential DOS attack. Once again, we have tested and deployed updates to our application remediating the known vulnerabilities. This is a good reminder that security work is never done.

Chris Picht, DevOps Manager, CISO, Senior Software Engineer

Chris works behind the scenes to keep our application and environment safe, reliable, and secure. He creates and maintains the infrastructure that powers our application ensuring it meets current client needs while preparing for the future. Chris believes that perfect is a much better verb than a noun and finds joy in continuously working to improve processes, procedures, and security to enhance the service our clients depend upon. He previously worked for a prominent research University supporting marketing and communication objectives with technology and also for a name brand in weather data, technology, and human insight.

If you’d like to speak with us directly, you can reach us online at snavelyassociates.com/contact or ovrture.com/contact.