Updated: December 21, 2021
Risk Intelligence deployed appropriate patches as of 4 1.m. EST December 21, 2021.
As you may know, a vulnerability within the Apache Log4j tool was identified on Friday, December 10, 2021 – tracked as CVE-2021-44228. Log4j is a logging framework created by Apache and used widely across the internet. Many, many services are potentially vulnerable to this exploit.
Our Security, Engineering and DevOps teams, under the direction of our CSO, conducted a full impact assessment once the vulnerability was initially identified December 10 and found no evidence of successful exploitation. In addition, our internal Red Team completed a deep analysis of our code as well as testing.
Since then, the Apache Software Foundation (ASF) has rolled out additional updates to address CVE-2021-45105 and CVE-2021-45046. In response, N-able engineers have removed the log4j package from the RMM platform. RMM is no longer at risk from this vulnerability or any potential future log4j vulnerabilities. Risk Intelligence deployed appropriate patches as of 4 a.m. EST December 21, 2021.
N-able can confirm there are no vulnerabilities in these products, as they do not utilize a vulnerable version of Apache Log4j or they may not utilize Apache Log4j at all:
- Mail Assure
- MSP Manager
- N-able Service Desk
- Take Control
* It was initially believed that N-central may have utilized a vulnerable version of Apache Log4j. After further investigation, it was determined that N-central was not vulnerable because N-central only utilizes the Log4j-API component, and not the Log4j-core component. We apologize for any confusion.
Our teams have not found any active exploits of this vulnerability, are confident in the safe use of N-able products and don’t recommend taking any N-able services offline. Our hosted RMM instances are architechted behind a Web Application Firewall, which is configured to proactively prevent attacks against our systems.
This potential vulnerability remains a top priority for our Security, Engineering and DevOps teams. We continue to monitor for any developments with this evolving industry-wide risk and will re-evaluate for exposure as necessary. Thank you for your continued patience and understanding.