ComponentSource Log4J/Log4Shell 回應

This Security Response addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.

ComponentSource Computer Systems:

After an initial systems audit, ComponentSource internal systems and public facing systems should not be affected by CVE-2021-44228 and we have implemented additional mitigation steps to block known vectors of attack.

• Any servers or applications that use Log4J are on versions that are not affected by CVE-2021-44228.
• Access to and traffic from/to our internal networks, servers, and machines are mitigated by our Next Generation firewalls, and Endpoint security software. All have the currently known mitigations and settings to block known vectors of attack for this vulnerability.

We will continue to monitor and update with any new best practices and mitigations as they are released by our Enterprise Security vendors.

Commercial Products purchased from ComponentSource:

ComponentSource distributes/resells commercial-off-the-shelf (COTS) products for 200+ publishers. To check the status on any products purchased from ComponentSource, you should directly contact the respective publisher of the product. Many publishers have posted information on the Log4Shell mitigations or patches on their blogs, forums, or website, and many have been sending pro-active notifications to their registered customers.

A list of publishers and their contact information can be found here: https://www.componentsource.com/brand.

If any additional information is needed, please contact: support@componentsource.com.