Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Company updates » Apache Log4J Zero Day Vulnerability Update – 20/12/2021
What we are doing
Six Degrees CSOC (Cyber Security Operations Centre) are continually monitoring threat intelligence sources for Apache Log4j vulnerability developments and our Threat Response Team are closely reviewing vendor statements as they are released.
We are reacting to vendor statements where workarounds, patching and updates have been advised. Where downtime is required, customers have been and will be contacted directly to organise a mitigation action plan.
What we have done
What you can do
What’s next
We will continue to monitor the situation and provide updates via our Information hub. Our technical teams across all our products are working tirelessly to continue apply vendor solutions to this potential threat. We are pushing forwards with our response to this vulnerability and will continue to provide updates via our information hub.
CVE-2021-45105/45046
Severity 9/10 – Critical
There have been recent developments in the log4j vulnerability where the version 2.17.0 patch rolled out by Apache Software Foundation (ASF) on December 17th has addressed a vulnerably that could stage a denial-of-service attack (CVE-2021-45105). This issue remained after patch 2.16.0 failed to address this vulnerability which was previously put forward as guidance by the group. The CSOC recommends that you perform the relevant update to all deployed Java installations as soon as possible to remediate exploit exposure to this vulnerability.
Assure that all software deployments of Java conform to the below versions:
Alternatively, this can be mitigated in configuration:
Note. Further guidance on these mitigation steps can be found at: https://logging.apache.org/log4j/2.x/security.html
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
It’s worth pointing out that the severity score of CVE-2021-45046, originally classified as a DDoS vulnerability, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the flaw to send a specially crafted string that leads to “information leak and remote code execution in some environments and local code execution in all environments,” corroborating a previous report from security researchers at Praetorian.
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://logging.apache.org/log4j/2.x/security.html
https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
Six Degrees appoints new Chief Revenue and Chief…
Fortify your organisation’s security posture by evaluating your…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
