Fortify Software Security Center & CVE-2021-44228

Fortify SSC v20.* is vunerable with respect to CVE-2021-44228.

Any experience using the Log4J settings work around? 

Parents
  • Statement made available from Micro Focus legal around 12/12/2021 @ 5:34 pm CST.

    1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?
      Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.
    2. What is Micro Focus doing?
      • The appropriate security teams are fully engaged and have been since we were first alerted on Friday. 
      • We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.
      • In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject. 
      • At the Micro Focus network enterprise level our internal security tooling has been updated and we will continue to monitor our operations for issues.  

    ----

    If you've identified anything to the contrary you can report it here: www.microfocus.com/.../product-security-response-center

Reply
  • Statement made available from Micro Focus legal around 12/12/2021 @ 5:34 pm CST.

    1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?
      Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.
    2. What is Micro Focus doing?
      • The appropriate security teams are fully engaged and have been since we were first alerted on Friday. 
      • We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.
      • In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject. 
      • At the Micro Focus network enterprise level our internal security tooling has been updated and we will continue to monitor our operations for issues.  

    ----

    If you've identified anything to the contrary you can report it here: www.microfocus.com/.../product-security-response-center

Children