Apache Log4j 2 has been patched to version 2.17.1 across all components of the service.
All systems have been patched and configured to a non-vulnerable configuration of Apache Log4j 2 to address CVE-2021-44228 and other reported vulnerabilities up to date. All mitigations and monitoring remain in place. This concludes activities in response to CVE-2021-44228. We will continue to apply patches across our services – risk assessing and prioritizing as they become available.
On December 9, 2021 researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2. The Apache organization confirmed that a critical vulnerability (Apache defines its severity level of ‘critical’ as “A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.”) had been discovered in its logging library “Log4j.” More information can be found here: https://logging.apache.org/log4j/2.x/security.html.
Intralinks Global Security Operations (GSO) has identified where this component is currently used within the Intralinks Platform, assessed the defense protocols in place and confirmed all mitigation controls. GSO also confirms that all customer files are encrypted at rest, further mitigating confidentiality and integrity risks, should all other controls be circumvented. Firewalls are in place to prevent unauthorized connections to and from the platform, and to stop attack strings from reaching their destination. Intralinks engineering teams are in the process of identifying and patching log4j to version 2.15, where applicable. As platform patches become available and verified – the services will be deployed to production environments, in addition to existing mitigations, to eliminate the vulnerability across all systems.
The Intralinks GSO response plan includes obtaining assurances of mitigating this vulnerability from our key vendors. We have been actively monitoring our systems since becoming aware of the vulnerability and there have not been any indications of compromise of the Intralinks Platform. The GSO continues monitoring for attacks and the efficacy of our defenses. We will communicate updates as any significant, new information become available.
If you have a question about this vulnerability, please contact customer support.