Vulnerability in Apache Log4j library

This vulnerability exists in the Apache Log4j Java logging library and affects all Log4j2 versions earlier than 2.15.0.

This library is typically used by developers to maintain a log of an application’s activity.

Due to this vulnerability, Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.

What do you need to do?

No action is required.  This announcement is for your awareness only.

We are aware of the announced vulnerability and confirmed that the impacted product is Cisco Webex Meetings Server. There is no action required regarding this product.

We are continuing to investigate and remediate any potential impact to our services, including patching all identified instances of this vulnerability in line with official government and vendor guidance.

This activity also includes a detailed assessment and advanced threat monitoring across all elements of BT’s estate and our supplier base.

We have not seen any evidence of an attack or malicious compromise of any of our systems and no loss of data as a result of this issue. 

Additional resources

A full description of the vulnerability is available on the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Service notice

We would like to keep you informed of any future service notifications. Please help us by bookmarking this website and by registering your details here.