Apache Log4j vulnerability update

You may have heard or seen recent news reports about a worldwide vulnerability in a widely used Java library logging component, Apache Log4j. This communication aims to inform you about how this vulnerability might impact you as a Malvern Panalytical customer, and help you mitigate any risks with our support.

What is Apache Log4j, and why is this logging library so popular?

Apache Log4j is a Java-based logging utility which is part of the Apache Logging Services. This library is one of the easiest ways to log errors and bugs, and is used by the majority of Java developers. Many large software companies and online services, including those offered by Malvern Panalytical, use the Apache Log4j library.

So, what’s the issue with Log4j?

On the 10th of December, the Apache Software Foundation announced that a security vulnerability had been discovered in Apache Log4j in systems running certain versions of Log4j. This vulnerability is known as ‘Log4Shell’ and comprises several vulnerabilities: CVE-2021-44228, CVE-2021-44832, CVE-2021-45046 and CVE-2021-45105. Because of the popularity of this logging library, some information security researchers expect a significant increase in cyber-attacks on vulnerable servers. 

The Apache Software Foundation has since addressed the vulnerabilities in their release of Log4j 2.17.1

How are we protecting Malvern Panalytical’s services and customers?

As soon as we were notified of this problem, we verified the vulnerability and immediately initiated our own mitigation actions. We have performed a thorough review of our entire IT environment, identified those areas which may be at risk, and put security patches in place to protect them - these patches have allowed us to mitigate the current attack possibilities. 

At Malvern Panalytical, we always operate to an extremely high level of cybersecurity, but due to the current vulnerability, we have set up additional and specific log file analysis and screening.

Are any of Malvern Panalytical’s products or software exposed to risks?

We have now reviewed our complete technology and software portfolio, and have not found any associated vulnerabilities. In addition, we do recommend that you always update Malvern Panalytical’s software to the latest available version. This will help minimize any impact from future security vulnerabilities. For many of our software solutions, you can visit our website to download and install the latest version or updates. If your software is not listed here, or you’d prefer direct help from our specialists, please don’t hesitate to contact our support desk

If you have any further questions or concerns, please reach out to your local sales representative, who will be happy to help.