1.1. What is it?
Log4j 2 is open-source software developed by the Apache Foundation and used in many software systems including telephony products from many vendors. It is hard to know whether Log4j is being used in any given software system because it is often bundled as part of other software. A bug was found in Log4j 2 on Dec 10, 2021. This bug can be exploited to allow a remote attacker to take control of a device on the internet, or by an internal hacker, if the device is running certain versions of Log4j 2. The exploit of the vulnerability has been given the name Log4Shell.
1.2. Is this a serious issue?
Yes, if your system uses an affected version of Log4j 2 and can be accessed remotely then it can be compromised. Apache gave the vulnerability a score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it.
1.3. Can it be fixed?
Apache have released a series of patches to fix the issue. Third party companies are incorporating these patches in to updates for their products. To fix the issue on affected systems requires them to be patched with these vendor updates.
1.4. Is my system impacted?
This depends on whether your system is running a vulnerable version of Log 4J 2. Older versions are not impacted. Your system may not use Log4j 2 at all. A high-level guide per vendor is provided below.
|Alcatel||Some products are vulnerable, and a customer specific audit is required|
|Avaya||Some products are vulnerable, and a customer specific audit is required|
|Liquid Voice||The vendor has indicated that none of their systems are vulnerable|
|NEC||No NEC product supplied by Welltel Group is currently listed as vulnerable by the vendor|
|Nectar||Some products are vulnerable, and a customer specific audit is required|
|NICE||Some products are vulnerable, and a customer specific audit is required|
|Nortel||Nortel telephony system are end of support and therefore no security updates are available from the vendor|
|Toshiba||Toshiba telephony system are end of support and therefore no security updates are available from the vendor|
|Unity||The Unifi WiFi controller is vulnerable, and a customer specific audit is required|
|Verint||Some products are vulnerable, and a customer specific audit is required|
|Welltel 360 Hosted Telephony||No Welltel 360/W360/Intune hosted telephony systems are impacted by the Log4j 2 vulnerability|
1.5. Can I patch my systems myself?
Log4j is an integrated part of the telephony system software and can only be patched using system level patches from the telephony vendor and not by using the patches published by Apache. Patching the system requires specific knowledge and experience of a Welltel telephony engineer.
1.6. Can you tell me if my system is vulnerable?
If you have a current service contract with Welltel for the system(s) then we can audit your system and provide a report free of charge. This report will include an estimate of the effort to remediate the issue with the current vendor recommended patches. The cost of implementing these changes is chargeable at the standard rate.
Please note that these costs assume work will be carried out during standard Business hours Monday to Friday. For OOH remediation, the hourly rate will reflect the service window time/day and will be 1.5 to 2 times the business hours cost.
If you do not have a current service contract with Welltel for the system(s) then please contact your account manager to discuss options.
1.7. Will patching be service affecting?
The audit is not service affecting however the installation of the updates may be service affecting, this will be determined as part of the audit. If it is service affecting, then we can schedule the work to be carried out in a service window. The hourly rate will reflect the service window time/day and will be 1.5 to 2 times the business hours cost.
1.8. What do I do next?
Should you believe you need to audit your system, please email to here. Welltel will then contact you to arrange the audit. Audits slots are limited at this current time, so we kindly ask for your patience as you will be contact as soon as possible to arrange a date. Customers will be scheduled on a first come, first served basis.
Based on the audit report that shows vulnerability, you can then request the system to be patched by responding to the audit ticket with the PO. You will be contacted by the support desk to schedule the patching. Patching slots are limited at the moment, and customers will be scheduled on a first come, first served basis.
1.9. What if more issues are identified?
Welltel continuously monitors the information from Apache and the vendors regarding Log4j. We will inform our clients in the event that vulnerabilities are identified. Any further patching would be chargeable.
1.10. Are there technical details available on the vulnerability?
Apache are providing updates on the vulnerability at https://logging.apache.org/log4j/2.x/security.html
Vendor Specific status information.
|Liquid Voice||Liquid Voice have stated to Welltel that following a detailed investigation none of their products are vulnerable as they do not use Log4j.|
|NEC||No NEC products supplied by Welltel Group are affected by the Log4j 2 vulnerability|
|NICE||Requires login to NICE Support: https://niceprod.service-now.com/csm?id=log4j_security_vulnerability|
|Nortel||Nortel telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by Welltel group. Welltel recommends replacing these systems with vendor supported products from Welltel.|
|Toshiba||Toshiba telephony systems are End of Life/End of Support and any vulnerabilities cannot be patched by Welltel group. Welltel recommends replacing these systems with vendor supported products from Welltel.|
|Verint||Requires Login to Verint Community: https://connect.verint.com/b/verint-community-news/posts/verint-product-update-on-the-apache-log4j-vulnerability|
Learn more about Welltel’s Patch and Vulnerability services here to help you identify and protect against malware on PC’s, laptops, physical and cloud servers across a selection of commonly targeted applications like Microsoft Windows and more.