Menlo Security Cloud Security Platform receives FedRAMP® Authorization
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Menlo Security | Dec 14, 2021
Share this article
Menlo Security is aware of the critical vulnerability affecting the log4j library. We are continuing to monitor the situation and will continue to provide updates where appropriate. For more details, see below and read our KB article here.
Menlo Security has completed patching of all log4j nodes to 2.16 within the cloud environment. Menlo Security is not affected by the recent DOS bug discovered within log4j 2.16. Menlo Security will still continue to patch all log4j nodes to log4j 2.17.
Premise customers can upgrade to OVA 2.81.3 to receive the log4j 2.16 update. Menlo Security will be releasing another OVA that contains log4j 2.17.
Menlo Security has completed patching of all log4j nodes to 2.15 within the cloud environment. Due to the recent discovery of the lower severity (CVE-2021-45046) within log4j 2.15, Menlo Security is proceeding to patch all log4j nodes to log4j 2.16.
Premise customers can upgrade to OVA 2.81.2 to receive the log4j 2.15 update. Menlo Security will be releasing another OVA that contains log4j 2.16.
All previous statements about low likelihood still apply for cloud and on-premise customers.
Menlo Security has completed patching log4j in the cloud environment for all nodes that could potentially process untrusted inputs. We are continuing to work on the remainder of low-risk log4j nodes.
As per our previous statement, in the Menlo cloud architecture log4j processes log messages generated by other Menlo modules. The messages do not contain external user-controllable strings. Since log4j is not processing untrusted data, the likelihood of exploitation remains very low. Our security team has not been able to reproduce an exploit even when a user is authenticated.
For premise customers, we are working on an updated version that will contain the patched version of log4j. Since our premise solution mirrors our cloud architecture, all the statements above about the low likelihood of exploitation applies to our on-premise customers too. Out of an abundance of caution, we are still releasing an updated version.
Menlo Security has log4j deployed in a small portion of the environment. At this time we do not believe this is easily exploitable within Menlo Security’s implementation and have not seen any evidence of exploitation. We have added additional monitoring and are in the process of patching. If there are any other developments we will provide additional updates where appropriate.
Internal Corporate Applications:
Menlo Security is also reviewing potential impact within our corporate applications and patching where appropriate.
Posted by Menlo Security on Dec 14, 2021
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.