Hi,
Today I receive an email from one of my customers which uses my ASP.NET application. This is the content of their email:
In recent days, there have been multiple security advisories from Homeland Security (https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance) and considerable media
coverage of the Log4j vulnerability. This flaw, disclosed by Apache last week, allows attackers to
execute code remotely on a target computer, enabling the attacker to steal data, install malware or take
control of the target system.
As a partner of Organization Name, we are requesting that you provide information related to the
information related to [insert application (s)]. Please advise the following:
• Any public statement your organization has made related to this vulnerability and/or
• Specify any updates required at this time to [insert application] to remediate exposure to the Log4j vulnerability
• Notify Organization Name immediately of any change in status in the coming weeks related to further updates needed
Of course, I am not going to make any public statement.
But it is not clear if my application has an exposure to the Log4j (which I know nothing about) or
this is just a generic email they sent to all vendors?
What do you think?
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham
