Proofpoint: Statement Regarding CVE-2021-44228 - Java logging package log4j2

A critical remote code execution vulnerability affecting the popular Java logging package log4j2, CVE-2021-44228, was published on December 9, 2021.  Additional vulnerabilities in log4j were disclosed on December 14, 2021. The vulnerability is also referred to as Log4Shell.  Scanning and exploitation of the vulnerability began shortly after the vulnerability was disclosed.

Proofpoint immediately issued an internal advisory for mitigating all affected production and corporate environments. 

We also issued information for customers to know if their Proofpoint products have been affected by the vulnerability, which is publicly accessible here and in this article.  We will update this information as the situation develops and encourage customers to check frequently to obtain the most current status.

Additionally we continue our internal investigation to determine and address any impact. We are actively monitoring for new disclosures regarding indicators of compromise and attacker tactics, techniques, and protocols. Updates to this notification will be made if there are any significant changes to the available information about the threat.