Protecting MPAC systems from the log4j vulnerability

MPAC IT began assessing the impact of the log4j vulnerability last week, and took all steps necessary to protect MPAC’s systems beginning December 10.  MPAC systems are secured by a “defense in depth” approach and follow ISO/IEC 27001/17 code of practice for information security controls, including monitoring and change management.

Solutions included updating firewalls, applying mitigation measures identified in the Common Vulnerabilities and Exposures (CVE) updates (CVE-2021-44228 and CVE-2021-45056) as well as upgrading applications and services to ensure they were not vulnerable.  The immediate focus was on external-facing applications including Municipal Connect, AboutMyProperty, mpac.ca as well as services and infrastructure.  We also reviewed third party applications and vendors, and have been implementing fixes as those vendors make them available. Internal systems were also updated early this week.

This situation is still evolving and MPAC will continue to monitor and ensure that our systems remain safe.