Potential impact of CVE-2021-44228 Apache Log4j vulnerability on Egress products and systems

Egress | 13th Dec 2021

Update: December 21st, 2021, 14:00 GMT

Following our ongoing security investigation in the CVE-2021-44228 Apache Log4j vulnerability, we can further confirm the Egress products and applications remain unaffected from CVE-2021-45046 and CVE-2021-45105.

We will update this page if new information comes to light. If in the meantime you have specific questions about how this might have impacted you, please reach out to our Customer Support team.

Update: December 14th, 2021, 10:30 GMT

Patching to mitigate any potential vulnerability in Egress Respond was completed overnight and we will continue to test and monitor services following its completion.

Update: December 13th, 2021, 17:55 GMT

Following our continued security investigation in the CVE-2021-44228 Apache Log4j vulnerability, we can confirm the following Egress products and applications currently remain unaffected:

  • Egress Protect (Egress Switch)
  • Egress Prevent
  • Egress Defend
  • Egress Secure Workspace
  • Egress Secure Webforms
  • Egress endpoint applications: Outlook Addin, Secure Gateway, Mobile app for Egress Protect, Mobile app for Secure Workspace
  • Egress Web Access

We have identified use of Apache Log4j in Egress Respond (previously known as Egress Investigate/Secure Vault) and we are actively patching to mitigate any potential vulnerability.

Note: On-premises Egress Respond customers who require updates on this are advised to contact our Support Desk now for further assistance.

Update: December 13th, 2021, 11:30 GMT

On Friday, December 10th, 2021, Egress was made aware of the Apache Log4j critical vulnerability (CVS-2021-44228), an open-sourced Java-based logging framework used by enterprise applications and cloud services.

How are we addressing the problem?

Since becoming aware of the vulnerability, we have been undertaking a thorough security investigation to understand whether this vulnerability is present in our software and third-party systems that we use.

Our investigation has identified some use of Apache Log4j 2 code in our software code. We are putting in place security mitigations and fixes to the identified systems and testing these steps to ensure they are effective in protecting against the identified vulnerability.

Has this vulnerability affected any customer-facing products and operations?

Investigations are ongoing and we have been monitoring our systems. At this time, we have not discovered any evidence of compromise.

We will continue our security investigation, and if any further use of the code is identified, will implement any further mitigations for vulnerable software or systems in the coming days, in accordance with our critical problem management practice.