Drake Software Statement on the Apache Log4j Vulnerability
Drake Software, LLC (“Drake”) is aware of the recently disclosed Apache Log4j Remote Code Execution Vulnerability, and has taken the following steps to ensure the continued protection of its operations and customers.
Actions
Upon receiving cybersecurity threat intelligence reports last week regarding this vulnerability, Drake’s Operations and Cybersecurity teams began investigating potential impacts to our systems, products, and services and implementing proactive risk mitigations. The following are examples of some of the actions taken:
- Information about the Apache Log4j vulnerability was collected from sources such as the Cybersecurity & Infrastructure Security Agency, Apache Software Foundation, and crowdsourced data collected on Github
- Potential use of Log4j in Drake’s software products was assessed
- Drake network perimeter defenses were tuned to explicitly identify and block log4j exploit attempts
- Potential exposures in third-party software, systems, and services were investigated
- Drake’s security event tracking and alerting system was configured to alert on log4j exploit attempts and indicators of system compromise
- Daily security vulnerability scans were configured to hunt for vulnerable systems within Drake’s networks
- A third-party cybersecurity consulting team was brought in to perform external security testing
Results of Analysis
- Products
- Drake’s products are not directly susceptible to the Log4j vulnerability. Drake does not incorporate Log4j code into the software it develops, nor does it use log4j for logging functions in online products.
- Administrative Infrastructure
- Some third-party software products used in Drake’s internal operations were identified as having potential exposures. These systems were, and continue to be, isolated from Internet exposure, and have been scheduled for patching as vendors release their fixes. Drake has found no indication of system compromise associated with the Log4J vulnerabilities in Drake’s environment.
- Third-party Service Providers
- Drake has found no indication that third-party services, relied upon by Drake, have had a compromise associated with the Log4J vulnerabilities.
Ongoing Vigilance
Drake expects this issue to evolve over time, and will continue to actively monitor internal operations and third-party software, system, and service provider advisories, as well as apply additional recommended mitigations as necessary.