Aryaka CISO update on Log4Shell and its impact

Aryaka CISO update on Log4Shell and its impact

On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-44228 has the highest and most critical alert level and has been nicknamed “Log4Shell”.

To provide some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on a server running Apache if the system logs an attacker-controlled string value with the attacker’s JNDI LDAP server lookup.

More simply put, this exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the globe.

Aryaka Networks’ Security Team have been working diligently

Since the disclosure, the security team here at Aryaka Networks have been working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers and our internal systems may have to this threat.

Here is our log of events:

9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software.

10th December 2021: Aryaka Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base.

12th December 2021: Aryaka Networks has confirmed the following services and systems are not affected:

  • Aryaka Network Access Point (ANAP) do not have any JAVA components and are not vulnerable.
  • MyAryaka, including internal components do not use log4j 2 version anywhere.
  • Aryaka CORE network is not impacted by this vulnerability.
  • We have confirmed third-party SASE solutions we support are not impacted.

What about the Aryaka’s Cloud-First WAN and security platform? Was it exposed?

The short answer is no. Our engineering and operations teams have worked side by side with our security analysts to investigate our own cloud and confirm that based on everything that we know, we are not vulnerable to this exploit.

Eventually, no one is 100% secure. The test is really about what you have done to minimize the potential risk, and what you can do to mitigate it when it manifests. Aryaka has all the resources, the skills and the talent to minimize our attack surface, and make sure that our ability to respond to emerging threats is at the maximum. This is the balance our customers deserve.

This Is Not Over Just Yet

As often happens with such high-profile and critical CVEs, more data and IoCs (Indicators of Compromise) are surfacing as more analysts across the IT and cyber communities dive deeper into the case.

Our researchers and engineers are continuing their work, monitoring new discoveries across the community, and running our own research to make sure our customers remain protected.

About the author

Edward Frye
Edward is the Chief Information Security Office at Aryaka Networks, an information security leader with over 20 years of experience establishing cross-functional, practical security approaches that fit company culture and business goals, and responsible for the company-wide leadership of Aryaka’s cybersecurity, privacy, governance, risk, and compliance programs and collaborating with the industry leaders to share best practices on information security. Previous CyberSecurity leadership roles include Elementum, BlueJeans, Kaiser Permanente, Valley Oak Systems, Ellie Mae, and PaymentOne. Edward is a certificated commercial pilot and ground instructor.