Log4Shell Update

Since notification of the LOG4J vulnerability, Daisy have worked around the clock, engaging stakeholders across our vast portfolio of products, and services under the coordination of our Major Incident Management team. It became abundantly clear that the scope of review and ongoing investigation to mitigate risks, not only in our own environment, but to support our customers in doing the same would be extraneous and we have committed to ensuring we remain close to this issue for the, likely, months ahead.

In order to clarify our approach, we are taking guidance and support from a number of sources both internally and, these include but are not restricted to:

• Our Security Operations Centre and associated threat intelligence sources
• Internal IT Teams
• Specialists across our operations teams spanning all technologies
• NCSC and CISA
• Proactive engagement with all of our direct vendors, as well as extended research where required.

As a result of this detailed intelligence-gathering exercise, we’re convening daily with teams in place to react outside standard business hours should a risk be identified, or information become available that requires us to act in order to prevent an issue. Our efforts have focused on the following:

• Actively monitoring the scope, scale and intent of the issue, any variations, vendor-specific news and affected products to identify possible mitigations.
• Continued engagement with our technology partners and vendors
• Ensure that our Security Notification service, accessible via our website is maintained with the most up-to-date information we have.
• Expanding our detection capabilities within our SOC
• Proactively reviewing and performing available scans to diminish and eradicate areas of concern.
• Triaging our own perimeter and internal systems to gauge the potential impact on our environment and ensure the safety and reliability of our services, and those of our customers.

It is vital that we stress that based on current information, there is no irrefutable way for us or anyone to completely mitigate any risk at all. The situation continues to unfold, and we believe we are in a very strong position ahead, or on point with any information as it is published.

We continue to urge you to press your other suppliers for similar statements of intent and scope to offer reassurance across all areas. Daisy will endeavour to continue to provide updates, where they will add value and maintain a strong, robust focus on the safety of our systems, and the integrity of our services.

If you suspect you have been affected by this vulnerability or need to discuss further advice please contact our Service Desk team on 0330 024 3333 or raise a ticket via our Customer Portal.

Daisy’s Position

Daisy are continuing to monitor Log4Shell developments, assessing the ongoing vendor statements and threat intelligence sources. Scanning of both internal and external assets have been central to our efforts as this potentially posed the highest risk across the infrastructure. All Daisy service portals have been included within this activity, in addition to our monitoring systems.

Current Advice

Advice from Apache and credible threat researchers has changed and may still change as this situation develops.

We want to be clear that it’s important that our customers understand that where relationships with vendors are held directly, we recommend immediate engagement with those vendors to seek product-specific advice or known-risks and any associated activity they can provide to help mitigate vulnerabilities. Daisy cannot offer support on third-party software or applications where we do not own the relationship or management of the service.

Our current advice can be found within the initial security notification here.

Next steps

Daisy have been working around the clock to engage with our extensive portfolio of vendors and partners which has led to a number of proactive scans and coordinated approaches to review our overall infrastructure. We have reacted to official statements from our vendors where patching or updates are required to mitigate risk and customers will be contacted directly to arrange associated work via our formal change process.

Management infrastructure and managed customer devices are now in-scope, with this being run in parallel to all continuous monitoring and best practise advice released. We will continue to review and update the advice provided via our website, ensuring it reflects the most relevant, and useful information to support you, as well as ourselves.

Summary

Daisy are aware of the recently disclosed Log4j vulnerability dubbed “Log4Shell”, officially CVE-2021-44228. This has impacted many internet services globally, with more details on affected elements coming to light due to the comprehensive application of Log4j.

On a vulnerable instance this can potentially enable a malicious actor to run arbitrary code in the context of the application. Exploitation code has been publicly released, and activity relating to exploitation has been observed on the internet, affecting companies such as Apple, Amazon Web Services and many more.

Daisy’s Position

Daisy have taken a robust approach which is being led by our Security Operations team with technical experts across our wide range of services, supporting in monitoring this situation as it develops. Taking initial investigative efforts to focus on perimeter and infrastructure services as we believe these would pose the greatest risk.

Extensive research is being carried out in order to ensure our portfolio of partners, vendors and suppliers are engaged to understand the impact, if any, and allow us to coordinate workstreams as well as provide suitable advice that allows you, our customers to mitigate any known risks as soon as possible.

Current Advice

For any customers managing software or devices utilising Log4j we ask that those instances are updated or mitigated as soon as possible to minimise the associated risk. In addition, where customers have SOC services provided by third parties, we recommend that they are engaged to provide additional support and Guidance. In this way we can ensure a collaborative approach from all sides.

Please see the previous security notification for further information here:

https://daisyuk.tech/notification/log4shell-cve-2021-44248-public-notification/

Next steps

We will continually review and update the advice provided via our website, ensuring it reflects the most relevant, and useful information to support you, as well as ourselves

If you suspect you have been affected by this vulnerability or need to discuss further advice please contact our Service Desk team on 0330 024 3333 or raise a ticket via our Customer Portal.