Since December 2021, major OT vendors have been disclosing the vulnerability’s impact on their software and equipment, reducing the Log4j attack surface.
Unfortunately, the nature of the Log4j vulnerability can make it challenging to identify. Why? Log4j is often an embedded component of Java-based ICS hardware and software (both proprietary and open-source), leaving OT operators dependent on vendors to identify the Log4j risks and develop and deploy patches to mitigate the risks.
Because of this, Dragos assesses with moderate confidence that Log4j will be a persistent vulnerability in ICS environments for years to come.
Download this whitepaper to discover what you can do to mitigate Log4j vulnerabilities.