X

Request a demo

See Cybeats in action. Fill out the form and our team will be in touch with you shortly.
Upcoming Webinar: The SBOM Economic Boom. Register now!

Cybeats Addresses Widespread ‘Log4j’ Vulnerability

December 17, 2021

TORONTO, December 17, 2021 – Scryb Inc. (“Scryb'' or the “Company”)(CSE: SCYB, OTCQB: SCYRF RYMDF,Frankfurt: EIY2) provides commentary on the widespread log4j1vulnerability discovered on December 9th, potentially allowingunauthorized remote access.The United StatesCybersecurity and Infrastructure Security Agency issued analert about the vulnerability, and noted that it is reportedly being actively exploited.2

Log4j is a java library foractivity logging, software producers and consumers are currently spending significant resources to identify wherethis library exists in software or deployed systems. Some enterprises with advanced softwareinventory systems are reporting successmitigating this vulnerability, whereas several organizations are set to spend extensiveresources over the coming months to fully addressthis issue. Having managed one’s Software Bill of Materials (SBOM), theseproducts that carry thevulnerabilities would be far easier to identify and mitigate. Well-managedCI/CD pipelines including attestations such as SBOM are currently providing value and certainty to recovery plans.

“This is the type of vulnerability that was leveraged in the Equifaxbreach in 2017 and it will take a while untilit stabilizes and all the impacted software is patched.” said Dmitry Raidman, co-founder and CTO, Cybeats. “Any java code based products are potentially to be affected, it mighttake months until the patches are tobe delivered to active environments, and some companies that are vulnerable tothis exploit at the moment are unaware.To manage this type of risk better in the future, companiesmay look at SBOM and VEX CSAF as means of obtainingtransparency and knowingtheir software better.”

This vulnerability serves as animportant indicator of changes underway in supply chain infrastructure. The transparency implicit in softwareinventory systems and specifically, SBOM are necessary to ensure stability in software supply chains longterm. Multiple Cybeats executives and advisors including CTO & co-founder, Dmitry Raidman, wereparticipants in the U.S. Department of Commerce SBOM working groups which resultedin the SBOM standard adoptedby the U.S. federal government. The Company has developed the SBOM Studio™ product to accomplish inseconds what takes weeks. SBOM Studio™ provides management of SBOM’s fromdesign to operation including orchestration with access management for sharing, AI/ML vulnerability and risk analysisand security posture ranking for supply chain organizations and software components.

1 https://en.wikipedia.org/wiki/Log4j

2https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Forward-looking enterprises may take this as an opportunity to adoptprocesses represented by Software Bill of Materials to mitigate futurecostly incidents like log4j and gain the other economicbenefits and a better softwareasset inventory control”, said Chris Blask, VP Strategy.

 

Subsequent Developments

Univeiled subsequent to the log4j revelations on December 9, Log4j is now experiencing a second vulnerability already that has been weaponized and a new patch version2.16.0.3

CNBC recently interviewed CISADirector, Jen Easterly, who said log4j is “the most serious vulnerability she’s seen in her decade-long career”.4 The log4j vulnerability has been conveyedusing the analogy:how many rooms in all Quebecgovernment buildings use 60-watt light bulbs? The answer is likely to physically walk to each room and see if each bulb is 60-watt.5

Detecting the vulnerability in a websiteis a short process, but without an up-to-date inventory list, verifying whetherall of the components affectedcould take severalmonths. Some regionssuch as Quebec have reactedby shutting down nearly 4,000websites as a preventative measure,until the gravityof the situation is assessed.6

Log4j is used in thousands of applications, and Authomize has graciously compileda robust and lengthy list of entitiesaffected by this vulnerability whichincludes the likes of Amazon,Apache and Microsoft.7

 

About Cybeats

Cybeats is holistic softwaresupply chain securitythat builds certaintythrough visibility, comprehensive protection and proactiveresponse, from launch to legacy.Cybeats. Software made certain.

Website:https://cybeats.com

 

About Scryb

Scryb is a platform that powers businessesand technologies with applied intelligence, real-time analytics, and actionable insights. The platform boasts provenadaptability across diverse markets, from digitalhealth and diagnostics to cybersecurity and manufacturing. The cloud-based platformis composed of crucial elementsincluding sensor technology, IoT, predictive analytics, and computer vision.

3 https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html?m=1

4https://www.cnbc.com/video/2021/12/16/log4j-vulnerability-the-most-serious-ive-seen-in-my-decades-long-career-says-cisa-director.html

5 https://www.cbc.ca/news/canada/montreal/quebec-cybersecurity-threat-government-website-1.6283133

6https://montreal.ctvnews.ca/quebec-shuts-down-3-992-websites-as-preventative-measure-after-security-flaw-discovered-1.5704258

7 https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_components.md

For more information, or to ‘SubScryb’ to the Company’s mail list, visit: https://www.scryb.ai

 

Contact:

W. Clark Kent President

Office. 647-872-9982

TF. 1-844-247-6633

Email: info@scryb.ai

Forward-looking Information Cautionary Statement

Exceptfor statements of historic fact, this news release contains certain"forward-looking information" within the meaning of applicable securities law. Forward-looking information is frequently characterized by wordssuch as "plan", "expect", "project", "intend", "believe", "anticipate", "estimate" and other similarwords, or statements that certain eventsor conditions "may" or "will" occur. Forward-looking statements are based on the opinions and estimates at the date the statements aremade, and are subject to a variety of risks and uncertainties and other factors that could cause actual events orresults to differ materially from those anticipated in the forward-looking statements including, but not limited to delays or uncertainties with regulatory approvals, including that of the CSE. Thereare uncertainties inherent in forward-looking information, including factorsbeyond the Company’s control. Thereare no assurances that the commercialization plans for the technology describedin this news release will come intoeffect on the terms or time frame described herein. The Company undertakes no obligation to update forward-looking information ifcircumstances or management's estimates or opinions should change except as required by law. The reader is cautioned not to place undue reliance onforward-looking statements. Additional information identifying risks anduncertainties that could affect financial results is contained in the Company’s filingswith Canadian securities regulators, which filingsare available at www.sedar.com