You should bring this Support Notice to the attention of your Information Technology (IT) department or webmaster.
A critical security vulnerability known as the Apache Log4j 2 Vulnerability allows attackers to compromise systems using the open-source Java-based Apache Log4j 2 framework commonly used component for logging requests.
Systems running Apache Log4j 2 version 2.14.1 or lower are vulnerable. The National Institute of Standards and Technology (NIST) identified the vulnerability as CVE-2021-44228 with a severity of 10, which is critical severity.
The vulnerability allows attackers to use the Apache framework to run malicious code.
Essent Service Impact Analysis
There is no impact to Essent products and services.
Essent was aware of this problem from its announcement and immediately took action to verify that no Essent offerings or systems managed under Facility Management Support (FMS) service subscriptions were vulnerable.
All business and commerce products including Compass™, SiteBuilder™, PunchOutNow™, Direct2Decoration™, OrderTrax™, and the Essent Commerce Cloud™ is not affected by this vulnerability. Essent security products, like the Netset™ Network Security Appliance, are also not vulnerable.
No corrective action is required as it pertains to Essent offerings or systems managed under FMS.
Essent encourages customers using the Apache framework to perform their own evaluation and prioritize patching of any public Internet-facing service first.
Specifically, anyone using Apache Log4j 2 version 2.14.1 or lower should upgrade immediately to version 2.15 or higher.
In the event an upgrade can’t be performed immediately, Google provides further mitigation steps including Apache configuration options and third-party scanning and blocking tools.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said the following:
"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. … We continue to urge all organizations to review the latest CISA current activity alert and upgrade to Log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately.”
The full statement from Easterly is available on the CISA website.