Updated Response to Log4Shell

Response to Log4Shell (CVE-2021-45105)

UPDATE: Further to the information below, a subsequent vulnerability in the previous patch version 2.16 to the Java library “Log4J” (“Affected Library”) has been discovered and reported to be vulnerable to denial-of-service attacks (CVE-2021-45105). This subsequent vulnerability was classified as a 7.5/10 risk.

This subsequent vulnerability had the potential to impact many cloud-based services if not addressed, and is not a vulnerability specific to Lexer’s services.

In response to this new information regarding (CVE-2021-45105), on December 20, 2021, Lexer performed further action to remediate the potential vulnerabilities. Lexer has now updated to version 2.17, which will replace the Affected Library.

Lexer will continue to monitor for any additional security vulnerabilities, and will update this page with any new information.

Chris Brewer
CFO & Information Security Officer, Lexer

UPDATE: On Saturday December 18 2021 AEST, a second zero-day exploit in the popular Java library “Log4J” (version 2) (“Affected Library”) was discovered, commonly referred to as “Log4Shell” (CVE-2021-45046). Once again, this vulnerability can be used to execute code remotely by logging a certain malicious string.

This second vulnerability was initially classified as a 3.5/10 risk, it was later reclassified as “severe” and increased to 9/10 risk. This Affected Library had the potential to impact many cloud-based services if not addressed, and is not a vulnerability specific to Lexer’s services.

In response to the new information regarding both the primary vulnerability referred to below (CVE-2021-44228) and the secondary vulnerability (CVE-2021-45046), Lexer performed further action to remediate the potential vulnerabilities. Lexer has now updated to version 2.16.0, which will replace the Affected Library, and applied patches which address both primary and secondary vulnerabilities.

Lexer has also conducted a review of the potential risk to its systems posed by the Affected Library (before it was updated) and, as at the date of publication of this notice, we have not found that there has been any breach of Lexer, partner or customer data as a result of this vulnerability.

Lexer takes cyber security very seriously, and in response to the vulnerability, temporarily suspended some functionality of Lexer services on 18 December 2021 briefly until it could be confident that the vulnerability had been appropriately remediated.

Lexer will continue to monitor for any additional security vulnerabilities, and will update this page with any new information.

Chris Brewer
CFO & Information Security Officer, Lexer

Response to Log4Shell (CVE-2021-44228)

On 9 December 2021, a zero-day exploit in the popular Java library “Log4J” (version 2) (“Affected Library”) was discovered and widely reported, commonly referred to as “Log4Shell” (CVE-2021-44228). The vulnerability can be used to execute code remotely by logging a certain malicious string.

Given the common use of the Affected Library and the potential impact of the vulnerability, this issue was classified as “severe”. This Affected Library had the potential to impact many cloud-based services if not addressed.

An update was published to this library (version 2.15.0) to remove the vulnerability, so that it is no longer vulnerable to this issue (“Updated Library”). Lexer updated from the Affected Library to the Updated Library, promptly upon becoming aware of the issue. By way of update to our earlier remediation steps, Lexer has performed further action to remediate potential vulnerabilities which were not fixed by the Updated Library in the version 2.15.0 update. Lexer has now updated to version 2.16.0, which will replace the Affected Library.

Lexer has also conducted a review of the potential risk to its systems posed by the Affected Library (before it was updated) and, following our investigation, found that there has been no breach of any Lexer, partner or customer data as a result of this vulnerability.

We also recommend that our clients check whether any (non-Lexer) software that they are running may be impacted and check in with applicable vendors for available patches.

Chris Brewer
CFO & Information Security Officer, Lexer