On December 10, 2021, a critical security vulnerability was announced for the Apache Log4j software library. Log4j is developed by Apache and is a Java component which is widely used for logging purposes. It is frequently incorporated into Java-based software applications.
RSA’s Security Incident Response team was immediately engaged to assess the level of vulnerability for our customers. We quickly determined that certain versions of RSA’s WebCRD and QDirect software solutions were indeed vulnerable.
RSA’s Software Engineering team quickly developed a configuration change followed by a software patch to protect our customers. The changes remove the risk by disabling lookups via system properties. Fortunately, RSA was able to “push” the changes to most most of our customers in an automated fashion, ensuring that most were protected within several days. A small subset of our customers needed to be patched manually by RSA. This work is very nearly complete.
RSA does not have any evidence to suggest that any of our customer systems or internal systems were successfully breached due to this exposure.
Future releases of RSA WebCRD and QDirect will include the updated version of the Log4j library. As always, we encourage all eligible customers to request an upgrade from RSA by contacting us at firstname.lastname@example.org.
If you have questions about this security vulnerability or any other, please feel to contact us at email@example.com.