LobbyGov has received several requests from customers regarding our exposure to the Apache Log4j vulnerability. This statement outlines the results of our risk assessment and mitigation efforts. Any questions about this statement or other security-related issues may be sent to email@example.com.
On December 13, 2021, the U.S. Cybersecurity and Infrastructure Security Agency issued information regarding a vulnerability in Apache's Log4j software. In the days that followed, an additional vulnerability was identified. Apache Log4j is Java software in use around the world for logging purposes. (CVE-2021-44228, CVE-2021-45046).
Log4j Usage Analysis
LobbyGov has analyzed its application codebase and servers to identify any log4j use. LobbyGov's core application does not use log4j. The use of log4j is limited to an isolated third-party component that is not accessible through the public Internet.
LobbyGov has examined network logs and other server logs to identify any log4j exploit attempts. No such attempts were identified during this review. LobbyGov does not have any information to suggest its application or servers have been exploited due to log4j.
Initial Mitigation Efforts
LobbyGov has implemented the recommendations of the third-party component's provider to patch the software to remediate the log4j vulnerability. LobbyGov also verified its security protocols to ensure sufficient protection against any log4j-related attack, including the use of secure firewalls, IP-based permissions, industry-standard encryption, timely patching of server instances, and other best practices.
LobbyGov will continue to monitor its application and network traffic for indications of log4j exploit attempts and respond as appropriate. LobbyGov will also continue to monitor U.S. CISA for additional guidance around the log4j vulnerability.