Blue Connections IT Apache Log4j Advisory

Background:

Log4j is a Java-based logging utility released by the Apache Software Foundation which is utilised in many Java-based applications and technologies.

On the 9th of December 2021, a critical vulnerability affecting Apache Log4j was publicly disclosed. This vulnerability allows an attacker to execute arbitrary code into any system running Apache Log4j version 2.15 or below.

On the 17th of December 2021, an additional critical vulnerability affecting Apache Log4j was disclosed, confirming that Apache Log4j version 2.16 is vulnerable to a denial of service attack.

Blue Connections have investigated our products and services to identify where mitigation is required and have subsequently implemented these mitigation techniques.

These products and techniques can be observed in the table below.

Mitigation:

AFFECTED PRODUCTS MITIGATION TECHNIQUES
Blancco Management Console Updated to version 5.11.1
ConnectWise Manage Applied latest patch to 2021.2 Manage On Premise – Log4J remediation – ConnectWise
Mitel MiCollab Applied latest patch
VMWare Virtual Center Applied workaround from article 87081
VMWare Horizon Taken offline until a patch is available
VMWare Identity Manager Applied workaround from article 87093
VMWare UAG Taken offline until a patch is available

We strongly encourage customers utilizing environments containing Log4j to update to the latest version.

Blue Connections are continuously monitoring the situation for any additional updates released from vendors.