Auvik Networks, ConnectWise, Datto, Kaseya, Liongard, N-able, NinjaOne and Pax8 are among the MSP software companies and SaaS marketplace providers to issue statements about the widespread Log4j vulnerability (aka CVE-2021-44228), also known as Log4Shell.
Related Update: Log4j vulnerability timeline -- from discovery to exploits to ongoing mitigation.
The Log4j vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2, BlackPoint Cyber told MSSP Alert.
In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) on December 11, 2021 called the Log4j vulnerability a "severe risk" and offered this four-step guidance to patch Log4j and mitigate potential Log4Shell cyberattacks.
Still, the worldwide Log4j software cleanup could take months, SC Media reported, because thousands of third-party software products run the code.
Amid that backdrop, many MSP software companies have been checking their code for potential exposure to the vulnerability. For MSPs, the status updates and associated vendor guidance could help the overall managed services industry to avoid potential supply chain attacks related to Log4j.
Log4j and MSP Software Provider Statements
The statements from various MSP software, platform and marketplace companies include:
- Auvik Networks found the affected version of log4j is in use in some Auvik systems, IT Business reported. Auvik has validated that all impacted systems are protected against this vulnerability due to safe configuration of the affected flags, the report said. “Our team continues to monitor the situation as it evolves and are updating all systems as necessary to ensure we protect all customers to the best of our ability,” the statement noted.
- Barracuda Web Application Firewall hardware and virtual appliances; Barracuda CloudGen WAF on AWS, Azure, and GCP; Barracuda WAF-as-a-Service; and Barracuda LoadBalancer ADC do not use Log4j, and hence are not affected by this vulnerability, the company said.
- Connectwise Log4j advisories are here.
- Datto has not assessed any material exposure to the log4j vulnerability that would impact the safe use of Datto products at this time." Should this assessment change, Datto said it will update partners immediately.
- Datto has created the Log4Shell Enumeration, Mitigation and Attack Detection Tool for Windows and Linux that downloads and executes the latest detection methods published by Florian Roth.
- Kaseya's list of products and Log4j recommendations are here.
- Liongard as of Dec. 14 has not identified any direct risk to its platform. If the situation changes, Liongard will share Log4j status updates here.
- N-able determined that these software tools (N-central, Backup, MSP Manager, Take Control, Passportal, Mail Assure) were not vulnerable to the issue. The company also evaluated risk within N-able RMM, and deployed patches for any potentially vulnerable components. Also, N-able found no evidence of successful exploitation across its software platform.
- NinjaOne said none of its systems are impacted by this vulnerability.
- Pax8, a SaaS application marketplace for MSPs, tweeted that the company has not detected any malicious exploitation due to the vulnerability.
Log4j Patches and Vulnerability Mitigation Steps
Meanwhile, MSP-friendly security companies such as BlackPoint Cyber, Cybereason and Huntress offered this Log4j security guidance to MSPs and MSSPs.
Stay tuned for ongoing updates.
Story originally posted December 12, 2021. Updated regularly thereafter.
