BAI statement on December 2021 log4j security vulnerabilities

BAI does not utilize the log4j version 2 component in any of its products or internet-facing systems. At this time BAI has no indication it is affected by this security incident.

As soon as the recent vulnerabilities in the widely-used log4j software component (a.k.a. “log4shell”) was made public on 10 December 2021, BAI immediately verified that the affected software was not present on any of its internet-facing systems. Additionally, BAI then scanned all its systems for any of the affected log4j software versions. We found two internal-only business support systems which utilized a vulnerable version of log4j. We applied the patches and mitigations recommended by the vendors of those two systems by end of day on 12 December 2021.

Additionally, BAI has scanned its systems and logs for any log4j-related “indicators of compromise.” To date we have found no such evidence.

As of 21 Dec 2021, none of BAI’s vendors or suppliers have reported being breached as a result of the log4j vulnerabilities, and all have patched or mitigated the issue quickly. BAI will continue to communicate with all its vendors to ensure they remain unaffected by these vulnerabilities, and to implement additional controls to mitigate similar issues in the future.

The BAI security team will continue to monitor security news and threat feeds for additional information and update this statement as necessary.

Updated 21 December 2021, 5:14 PM US Central Standard Time