By: Charles Kraus, Senior Product Marketing Manager
December 13, 2021
Limelight Networks has been actively tracking the newly discovered Apache Log4J vulnerability for which security researchers have found active exploitation taking place across the Internet. For reference, known details of the vulnerability can be found here:
The vulnerable component, Log4J, is quite common on systems that run Java applications. This high severity vulnerability is actively being exploited across the Internet allowing the attacker to perform remote code execution on the victim’s systems.
Immediately following notice of the newly discovered vulnerability on December 9, Limelight’s information security team and technical leadership kicked off a high priority investigation to determine its impact within our environment, if any. Limelight does not use Java within the critical path of its delivery network, and we have not discovered any exploitations during our investigation. We have included our findings by product line at the bottom of this document.
Limelight will continue its work ensuring that the Log4J vulnerability is not impacting our environment, nor our customers. Limelight also continues to work with its vendors to ensure that appropriate responsive measures are being taken on their end.
Given its severity and broad use throughout the Internet, Limelight highly recommends that our customers perform similar actions to ensure their environment is safe from such attacks. Everyone should update vulnerable systems to the latest version of Log4J as soon as possible or implement configuration changes to reduce the risk of exploitation until patching can occur. Additionally, make sure to check with all your vendor partners to understand their exposure and actions to this risk.
If you have further questions about our response to this threat, or to discuss how to best protect yourself, please do not hesitate to contact us.
EdgePrism: No Log4j exposure
Storage: No Log4j exposure
EdgeFunctions: No Log4j exposure
RTS: No Log4j exposure
Layer0/AppOps: No Log4j exposure
MMD: Uses non-vulnerable version of Log4j