Menlo’s response to log4j vulnerability (CVE-2021-44228)

Menlo Security is aware of the critical vulnerability affecting the log4j library. We are continuing to monitor the situation and will continue to provide updates where appropriate.  For more details, see below and read our KB article here.

Update 4[2021-12-22]

Menlo Security has completed patching of all log4j nodes to 2.16 within the cloud environment. Menlo Security is not affected by the recent DOS bug discovered within log4j 2.16. Menlo Security will still continue to patch all log4j nodes to log4j 2.17.

Premise customers can upgrade to OVA 2.81.3 to receive the log4j 2.16 update. Menlo Security will be releasing another OVA that contains log4j 2.17.

Update 3[2021-12-14]

Menlo Security has completed patching of all log4j nodes to 2.15 within the cloud environment. Due to the recent discovery of the lower severity (CVE-2021-45046) within log4j 2.15, Menlo Security is proceeding to patch all log4j nodes to log4j 2.16.

Premise customers can upgrade to OVA 2.81.2 to receive the log4j 2.15 update. Menlo Security will be releasing another OVA that contains log4j 2.16.

All previous statements about low likelihood still apply for cloud and on-premise customers.

Update 2[2021-12-13]

Menlo Security has completed patching log4j in the cloud environment for all nodes that could potentially process untrusted inputs. We are continuing to work on the remainder of low-risk log4j nodes. 

As per our previous statement, in the Menlo cloud architecture log4j processes log messages generated by other Menlo modules. The messages do not contain external user-controllable strings. Since log4j is not processing untrusted data, the likelihood of exploitation remains very low. Our security team has not been able to reproduce an exploit even when a user is authenticated. 

For premise customers, we are working on an updated version that will contain the patched version of log4j. Since our premise solution mirrors our cloud architecture, all the statements above about the low likelihood of exploitation applies to our on-premise customers too. Out of an abundance of caution, we are still releasing an updated version.

Update 1[2021-12-10]

Menlo Security has log4j deployed in a small portion of the environment. At this time we do not believe this is easily exploitable within Menlo Security’s implementation and have not seen any evidence of exploitation. We have added additional monitoring and are in the process of patching. If there are any other developments we will provide additional updates where appropriate.

Internal Corporate Applications:

Menlo Security is also reviewing potential impact within our corporate applications and patching where appropriate.