ConnectWise, Datto, Kaseya, N-capable, NinjaOne and Pax8 are among the first MSP software vendors and SaaS marketplace providers to publish statements on the generalized Log4j vulnerability (a.k.a CVE-2021-44228), also known as Log4Shell.
The Log4j vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache Log4j 2, BlackPoint Cyber MSSP Alert said.
In a press release, the Cybersecurity and Infrastructure Security Agency (CISA) on December 11, 2021 qualified the Log4j vulnerability as “serious risk” and proposed this Four-Step Tips to Fix Log4j and Mitigate Potential Log4Shell Cyber ​​Attacks.
Yet the Cleaning up Log4j software around the world could take months, reported SC Media, because thousands of third-party software products run the code.
Against this background, many MSP software companies have checked their code for potential exposure to the vulnerability. For MSPs, status updates and guidance from associated vendors could help the entire managed services industry avoid potential supply chain attacks related to Log4j.
Statements from Log4j and MSP software providers
Statements from various MSP software, platform and marketplace companies include:
- Connectwise Log4j reviews are here.
- Datto did not assess any significant exposure to the log4j vulnerability this would impact the safe use of Datto products at present. If that assessment were to change, Datto said he would immediately notify his partners.
- Datto created the Log4Shell Enumeration, Mitigation and Attack Detection Tool for Windows and Linux which downloads and runs the latest detection methods published by Florian Roth.
- Kaseya’s product list and Log4j recommendations are here.
- N-capable determined that these software tools (N-central, Backup, MSP Manager, Take Control, Passportal, Mail Assure) were not vulnerable to the problem. The company also assessed the risks in N-able RMM and deployed patches for all potentially vulnerable components. Additionally, N-able could not find any evidence of successful exploitation on its software platform.
- NinjaOne has stated that none of its systems are affected by this vulnerability..
- Pax8, a marketplace for SaaS applications for MSPs, tweeted that the company has not detected any malicious exploitation due to the vulnerability.
Log4j Patches and Vulnerability Mitigation Steps
Meanwhile, MSP-friendly security companies such as BlackPoint Cyber, Cyber-reason and Huntress Free this Log4j security guide to MSP and MSSP.
Stay tuned for ongoing updates.
Article originally published on December 12, 2021. Regularly updated thereafter.
