Centric on maximum alert regarding Apache Log4j vulnerability

Last Friday, 10 December, the Dutch National Cyber Security Centre announced the need for urgent action regarding the Apache Log4j vulnerability.

Update Friday 17 December

At this moment there is no new information to report. We are still working full force on the issue, and will report to you after this weekend or as soon as we have new information. Please visit the Customer Portal for more detailed information for your specific situation

We would like to emphasize that this Apache Log4j vulnerability is likely to pose risks to the business continuity of a number of organizations in the coming period. For more information, please refer to Github, the Informatiebeveiligingsdienst (in Dutch) and the NCSC (also in Dutch).

-------------------------------------------

Update Thursday 16 December

So far, there are no indications that the Apache Log4j vulnerability has been exploited in any of our systems or services.

As previously stated, we continue to scan our network perimeter and analyze the reports for possible anomalies. This also applies to our internal testing to identify vulnerable Log4j installations, where we work closely with our integration partners. In case a patch is needed, we will update to the latest available version of Apache Log4j (2.16).

We have published a list of non-vulnerable applications on our Customer Portal. This list will be updated regularly to provide the latest information available.

We are pro-actively reaching out to our customers to help scan their own environments to address a possible Apache Log4j vulnerability. Furthermore, we organize Ask me anything sessions for our customers to help them stay informed. Our customers can find more information about this on our Customer Portal.

Once more, we strongly urge our customers to contact their third-party suppliers and any other integration partners to ensure that the Apache Log4j vulnerability is addressed appropriately for applications and systems that are outside of our control.

This Apache Log4j vulnerability is likely to pose risks to the business continuity of a number of organizations in the coming period. For more information, please refer to Github, the Informatiebeveiligingsdienst (in Dutch) and the NCSC (also in Dutch).

-------------------------------------------

Update Wednesday 15 December

There is currently no indication that the Apache Log4j vulnerability has been exploited in any of our systems or services.

In the coming period, we will keep scanning our network perimeter and continuously analyze the reports for possible anomalies. This also applies to our internal testing to identify vulnerable Log4j installations, where we work closely with our integration partners. In case a patch is needed, we will update to the latest available version of Apache Log4j (2.16).

Because Apache Log4j is used in many third-party software components, it takes time to verify whether Centric applications are safe to use regarding this vulnerability. We are working hard to make this information available for each application via our Customer Portal.

Centric continues to do its part ensuring the safety of the applications and systems under our control and management. We strongly recommend our customers to check Github and follow the advice given by the Informatiebeveiligingsdienst (in Dutch) and the NCSC (also in Dutch). Furthermore, we strongly urge our customers to reach out to their third-party suppliers and any other integration partners to ensure that the Apache Log4j vulnerability is addressed appropriately for applications and systems that are outside of our control.

-------------------------------------------

Update Tuesday 14 December

As previously stated, all Centric domains and environments are being monitored and evaluated continuously by our experts, securing our customers’ environments and applications. At this moment, we have completed scans of our perimeter that cover over 4,700 distinct server installations. This equates to 85% of our server environment. These scans currently show no evidence of any exploit of the Apache Log4j vulnerability.

We have 50 security advisors and coordinators working full-time with our customers to help identify potential Apache Log4j risks. These advisors are reporting back on each application as its status is confirmed. Thus far, we see no evidence of exploits within our systems.

In the coming period, we will complete the initial scanning of our network perimeter and analyze the reports for possible anomalies. We will also continue to perform internal testing to identify vulnerable installations of Apache Log4j, work closely with our integration partners and take action if needed.

Centric continues to do its part for the applications and systems under our control and management. We strongly recommend our customers to check Github and follow the advice given by the Informatiebeveiligingsdienst (in Dutch) and the NCSC (also in Dutch). Furthermore, we strongly urge our customers to reach out to their third-party suppliers and any other integration partners to ensure that the Apache Log4j vulnerability is addressed appropriately for applications and systems that are outside of our control.

--------------------------------------------

Update Monday 13 December

All Centric domains and environments are being continuously monitored and evaluated by our experts, securing our customers’ environments and applications. At this moment, no security breach has been found. Our customer teams and security experts are working closely with customers to address the Apache Log4j vulnerability.

We are providing customers with information regarding other third-party software providers they might need to cooperate with to address this vulnerability.

In addition, we strongly recommend our customers to check Github and follow the advice given by the Informatiebeveiligingsdienst (in Dutch) and the NCSC (also Dutch).

Customers who may have questions regarding their systems are kindly requested to contact Centric via their usual channel.

-------------------------------------------

Update Sunday 12 December

Centric’s team of security practitioners and developers immediately started their investigation to protect Centric and Centric’s customers.

There has been no breach, and we continue our high alert with automated monitoring of all network traffic.

We are in constant contact with the Dutch government and the suppliers of various, potentially impacted software packages.

Customers who may have questions about their systems are kindly requested to get into contact with Centric via their usual channel.