Micro Focus Response on “Log4j” Vulnerability

Micro Focus is taking immediate action to analyze and to remediate, where appropriate, Common Vulnerabilities and Exposures (CVE-2021-44228 / Log4j also known as Logshell / Logjam),…

Sean O'Brien profile picture

Sean O’Brien

December 13, 20212 minutes read

Micro Focus is taking immediate action to analyze and to remediate, where appropriate, Common Vulnerabilities and Exposures (CVE-2021-44228 / Log4j also known as Logshell / Logjam), a reported vulnerability in the Apache Log4j open source-component that allows Remote Code Execution. Using the Remote Code Execution an attacker can potentially run malicious code that can perform unauthorized operations. This is defined by the Common Vulnerability Scoring System (CVSS) as a level 10 exploit. Micro Focus uses Log4j for standard logging functionality across a number of product portfolios. We are actively remediating the vulnerability across those products to protect both SaaS and on-premises customers and issuing security bulletins with instructions on how to remediate for on-premises installations. We will continue to provide details of the Log4j compromise until the risk is completely mitigated. Updates can be found here.

Micro Focus uses a mature formal process to handle vulnerabilities that are identified both internally and externally. We have a robust, dedicated, full-time threat intelligence team with a Micro Focus-wide view, that is constantly reviewing new reports of vulnerabilities, threats and compromises for possible impact to our products and network.

Micro Focus operates a Secure Development Lifecycle that includes among other practices, a Supply Chain Security practice, 3rd Party Component Manifest and a 3rd Party Component Monitoring. Using these formal practices we ensure 3rd party components are sourced from trusted repositories, scanned and tested, free of known CVEs, and signed to ensure authenticity and integrity. New vulnerabilities are scanned and tracked to ensure closure. Unsupported 3rd party components are deprecated.

Micro Focus has a formal practice of secure software coding that is designed to protect against malicious code, backdoors, transitive dependency based vulnerabilities and other threats.

Micro Focus is actively implementing patches and mitigation measures where appropriate for the Log4j vulnerability. Zero-Day and Critical vulnerabilities are fast tracked and delivered outside the product’s major point release cycle. We rank potential patches according to CVSS scoring, and also our own enhanced scoring system that takes additional data points into account. Configuration changes or patch installations require Quality Assurance analysis and testing prior to deployment to production systems to prevent unexpected service interruptions.

After investigation and analysis, we have had no indications of Log4j intrusions as of today, December 13, 2021.

For more information and regular updates please visit our Security updates page.

Share this post

Share this post to x. Share to linkedin. Mail to
Sean O'Brien avatar image

Sean O’Brien

See all posts

More from the author

Update on Micro Focus Response to “Log4j” Vulnerability

Update on Micro Focus Response to “Log4j” Vulnerability

December 15, 2021 Updates: Micro Focus is taking immediate action regarding Common Vulnerabilities and Exposures CVE-2021-44228 and CVE-2021-45046. CVE-2021-44228 Micro Focus is aware of the…

December 15, 2021 2 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.