Security researchers have discovered and published information relating to an input validation vulnerability within JDNI features in Apache Log4j versions 2.14.1 and earlier. This potential vulnerability is frequently being referred to as "Log4Shell" and significant information is now available from multiple sources. Ethical researchers and threat intelligence professionals have been trying to discover vulnerable organizations, point out the risks and help them remediate the potential vulnerability. At the same time, cybercriminals are also in discovery mode but for certain nefarious actions.

​This vulnerability represents a significant potential risk to organizations for three reasons: 

1. It provides an ability for an attacker to execute arbitrary code
2. The potential vulnerability is widespread
3. It is relatively trivial to execute if the right conditions exist. Significant information is now publicly available on those conditions. 

​​​​​​

Was Mimecast susceptible to the potential vulnerability? 

Yes - like many organizations globally, Mimecast used the potentially vulnerable versions of Log4Shell within Mimecast Services and identified that certain third-party suppliers also used the potentially vulnerable versions of Log4Shell. Upon the disclosure of the potential vulnerability, we took immediate actions (as discussed below) to evaluate and remediate any potential vulnerability. 

We have undertaken extensive analysis and identified and remediated vulnerable services.
 

What actions did Mimecast take?

• Upon the disclosure of the potential vulnerability, we took immediate actions (as discussed below) to evaluate and remediate any potential vulnerability. 
• We have undertaken extensive analysis and identified and remediated vulnerable services. We have implemented recommended actions from multiple sources that are designed to prevent the potential vulnerability from being exploited across all of our systems. This included applying recommended patches, adding multiple layers of prevention, both on hosts and at the external firewall to block potential attacker communications via published indicators of compromise (IOCs). This remediation required the restarting of all Mimecast services since the initial disclosure of the potential vulnerability. This was completed by our engineering and technical operations teams with zero disruption or degradation of our services. 
• Our adversary simulation teams have validated the efficacy of these prevention measures through extensive testing. 
• We have conducted intensive forensic investigations and collaborated with our strategic cybersecurity experts to verify that there is no evidence of pre-disclosure exploitation of the Log4Shell vulnerability in any of our systems, including, without limitation, services to our customers. 
• We continue to work with those strategic cybersecurity experts to ensure continuous threat monitoring of all our services for this potential vulnerability as part of our ongoing monitoring for potential vulnerability and threats of all our solutions. 
• Our response has incorporated into both customer facing services and internal corporate systems. 

 

Have we seen evidence of email or malware being used as an attack vector against customers?

No. Although a possible vector email is very unlikely due to the nature of this potential vulnerability and how it can be exploited. We will continue to monitor the situation closely as we do for other potential threats.

 

Mimecast will continue to monitor the situation closely as it evolves and will take further appropriate actions immediately if they are required.  As the security of our customers is paramount, we will continue to provide updates to customers as new information emerges.