On 9th December 2021, Information security researchers reported the discovery of a critical vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) in the Apache Log4j library (versions 2.0-beta9 to 2.14.1). The threat, also named Log4Shell, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute code and potentially take full control of the system.
This vulnerability is rated 10 due to a publicly published Proof-of-Concept, as well as the vulnerability's easy exploitability.
PXP Financial Infrastructure and InfoSec teams have assessed our public-facing applications for the presence of this vulnerability and have confirmed that our systems are not vulnerable. We can also confirm that Log4j is not used in any PXP Financial proprietary software. The team is continuing to review internal services and monitor for updated attack vectors related to this. There have been no PXP Financial systems identified that have been compromised due to this vulnerability.
Our Defence in Depth approach to security includes a multi-layered firewall architecture isolating our public facing systems from internal processing systems, Intrusion Prevention systems with the latest definitions currently available, actively blocking malicious activity, including Apache Log4j remote code execution attempts. Vulnerability scanning to validate the status of all vulnerabilities including the latest Log4j vulnerability. Endpoint protection on all systems which checks for updates every ten minutes. File Integrity Monitoring is operational on all systems to detect and alert us to unauthorised changes to systems. Security Incident and Event Management is operational with alerting in place to notify us of any suspicious activity. Role based access control to ensure access is permitted to systems on least privileged principles. Regular internal and external auditing on all systems and processes.
PXP recommend that you review your environment for the presence of this vulnerability and mitigate any internet facing systems as a matter of urgency.