EnergySys and the Log4j Vulnerability

Log4j Background  

We take security very seriously. As part of our ISO 27001 certified processes we actively monitor software vulnerability databases such as those maintained by the National Institute of Standards and Technology (NIST) in the US. We also run automated scans of our software in both development and production to identify whether any of our code might contain libraries or functions that are open to exploits.  

A recent addition to the list of common vulnerabilities and exposures (CVE) has gained considerable attention as it relates to a core piece of software that is incredibly widely used. The Log4j library is a package of Java software that developers routinely use to log events and error messages from their software. Unfortunately, this vulnerability is trivial to exploit and could allow an attacker to run malicious code on the target server.  

Action 

As soon as the new vulnerability was reported we carried out a detailed review of our entire code base to determine the extent of our potential exposure. Fortunately, in the majority of cases the Log4j libraries in use were not the versions impacted by this exploit. However, a small number of components were identified as potentially open to exploit, though the nature of their deployment would have made this very difficult. The impacted components have been patched and are being deployed to production. This process is expected to be fully completed for all production environments by Monday 20 December. Our environment has also been automatically updated to ensure that checks for this issue have been added to our routine security scans.   

Review 

Security experts around the world carry out testing of code for security vulnerabilities and exploits. The process for reporting and resolution is well-established and we routinely patch software to ensure that it is free of known defects. The ubiquity of the Log4j library and the relatively critical nature of this particular exploit has brought attention to this process, but the nature of our response and the procedures we follow are standard for all reported security issues. The security of our customer’s data is our single highest priority.  

Try more from our latest Resources

ELS logo

Equity Lifting Solutions Pty Ltd Announced as the Latest EnergySys Reseller Partner

EnergySys' growth in the APAC region is something we’re immensely proud of and is testimony to a growing need for flexible, value-driven software within an increasingly agile energy industry. Our partnership with ELS will ensure that customers have access to powerful solutions that meet the unique challenges of the LNG market.

Email Security with the EnergySys Platform

Okta, the identity provider we currently use for authentication, announced a security incident on 22 March 2022. Following an investigation they advised the risk as low, impacting only 2.5% of customers.We take security extremely seriously at EnergySys. Despite Okta’s reassurance that none of our users were impacted, and as per our ISO 27001 certified process, we mobilised our Incident Response Team to assess any risk to our users.

EnergySys and the Okta LAPSUS$ Security Incident

Okta, the identity provider we currently use for authentication, announced a security incident on 22 March 2022. Following an investigation they advised the risk as low, impacting only 2.5% of customers.We take security extremely seriously at EnergySys. Despite Okta’s reassurance that none of our users were impacted, and as per our ISO 27001 certified process, we mobilised our Incident Response Team to assess any risk to our users.

See all