Comviva’s response to Apache Log4j 2
- What is Log4j?
- What we know about the Log4j vulnerability?
- What protective measures have been taken by Comviva ?
- Are Comviva products affected by the Log4j vulnerability?
- What remedial actions have been taken?
- Will this incident impact or interrupt the delivery of Comviva products and services?
- What is the impact to Comviva’s business?
- How does Comviva protect its environment from potentially affected software?
- Have Comviva’s suppliers and vendors been impacted by Log4j vulnerability?
- Who is affected by this vulnerability?
- How to remove the risk of the Log4j vulnerability?
The recent Log4j cybersecurity vulnerability has left many organisations across the globe in sheer disbelief and panic, over what is being reported as the worst ever cybersecurity exposure in history. The security of both Comviva solutions and our customer’s safety is a top priority for us!
In response to CVE-2021-44228 Apache Log4j 2 vulnerability, we have proactively taken immediate action to address any critical vulnerability affecting our products and solutions containing the Log4j software library.
Comviva is actively analysing the impact of reported remote code execution vulnerability (CVE-2021-44228) in the Apache Log4j 2 Java library. We are assessing our Infrastructure both onsite and those deployed across the globe in customer sites and are in constant touch with all our esteemed customers across the globe. They have already been briefed about the risks associated and has put all our deployments under active monitoring to mitigate the risk of exploitation of the reported vulnerability.
Our App development community has already been briefed of the possible impact and associated risks on the very first day when the vulnerabilities were reported. Our internal security SMEs also circulated notes internally on how to carry out the fix on different Log4j versions as well as possible impact on other open-source software. This is to ensure upgrades by different product teams can be done in a structured manner, avoiding any further challenge in finding a solution and also to minimize the individual interpretations. It will also help in reducing turnaround time of the fixes at customer’s end.
In parallel, wherever the upgrade is required, we are preparing detailed execution plan to carry upgrade without impacting any existing services. At this point of time, we are not anticipating any disruptions in services across any of our deployments.
We will continue to remain vigilant regarding all aspects of this challenging situation.
Updated December 16, 2021
Frequently Asked Questions
1. What is Log4j?
Log4j is a popular Java based logging framework provided and maintained by the Apache Software Foundation.
Back to Top
2. What we know about the Log4j vulnerability?
The Log4j vulnerability is also referred as Log4Shell or LogJam. Cyber security experts have classified the Log4j vulnerability as a critical flaw which allows hackers to execute arbitrary code remotely.
Some reports suggests that it was first detected by the Alibaba Cloud Security team on 24 November, 2021, whilst some also claim it was only detected on 9 December, 2021.
An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of Log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services. Back to Top
3. What protective measures have been taken by Comviva ?
We are actively analysing the impact of reported remote code execution vulnerability in the Apache Log4j 2 Java library and have already put the deployments under active surveillance to mitigate the risk of exploitation.
Our development community has already been briefed of the possible impact and associated risks on the first day of vulnerabilities reported. Our internal security SMEs also circulated notes internally on how to carry out the fix on different log4j versions and possible impact on other open source software. It will help in carrying out the fixes in more structured manner reducing turnaround time of the fixes to the customers.
Wherever upgrades are required, we are preparing detailed execution plan to carry upgrade without impacting the existing services. Back to Top
4. Are Comviva products affected by the Log4j vulnerability?
Yes, some of our products have been impacted by the Log4j vulnerability.Back to Top
5. What remedial actions have been taken?
Several deployments have proactively been upgraded. Security being very high amongst our priorities, we are continuously monitoring the developments and coordinating with customers for remedial actions across all deployments. Back to Top
6. Will this incident impact or interrupt the delivery of Comviva products and services?
Currently, we are not anticipating any service impact. However, we are continuously assessing the situation at various deployments and working towards addressing customer concerns (if arises) on a war footing. Back to Top
7. What is the impact to Comviva’s business?
At the time of writing this note, there has been no impact observed. But the situation is under continuous observation and any impact shall be communicated to the stakeholder proactively. Back to Top
8. How does Comviva protect its environment from potentially affected software?
Comviva has a focused security response team who along with partners in security business are working non-stop to mitigate risks across all active deployments at the earliest. Back to Top
9. Have Comviva’s suppliers and vendors been impacted by Log4j vulnerability?
Comviva is engaging with the suppliers and third-party partners to assess the impact of Log4j vulnerability and taking necessary remedial steps on a case-to-case basis. Back to Top
10. Who is affected by this vulnerability?
As per the information available in the public domain, basically any device that’s exposed to the internet is at risk, if it’s running Log4j version earlier to version 2.16.0. It is also applicable also to any dependencies that might be using the older versions of Log4j.
Development community should be aware of the usage of any dependencies in addition to focusing on their own application software. Back to Top
11. How to remove the risk of the Log4j vulnerability?