Since the previous update on December 19, our security team continued to monitor news updates. No new vulnerabilities on log4j were reported. We are confident that with applying the latest version (2.17.0) the vulnerabilities are resolved and the incident can be closed. We will continue to monitor relevant sources for new information and will create a new incident if necessary.
Posted Dec 24, 2021 - 11:14 CET
Update
On Saturday, December 18, 2021, 10pm CET, a new vulnerability for log4j was reported (CVE-2021-45105). Our security team investigated if the BlueConic services were vulnerable to this issue and have patched the two components proactively using log4j to version 2.17.0 when the new version became available.
Posted Dec 19, 2021 - 09:06 CET
Monitoring
On Tuesday, December 14, 2021, 10pm CET, a new vulnerability for log4j was reported (CVE-2021-45046). Our security team investigated if the BlueConic services were vulnerable to this issue, and the team concluded with a high probability that the BlueConic services had no exposure. To further ensure that there will not be any exposure to the vulnerability, we have proactively patched the two components using log4j to version 2.16.0.
Posted Dec 15, 2021 - 15:01 CET
Identified
BlueConic became aware of the log4j vulnerability on Friday, December 10, 2021 at 8a CET. Our security team immediately started investigating to what extent the BlueConic services would be vulnerable. From the investigation, two parts of the software were identified which are using vulnerable log4j components. Neither component was handling user input directly and we assessed the risk of abuse of the vulnerability considered lower than critical. Overnight Saturday, December 11, patches were deployed resolving the vulnerability. We will continue to monitor news updates on this vulnerability to ensure the continued protection of our customers’ data and availability of the BlueConic services.
Posted Dec 12, 2021 - 17:47 CET
This incident affected: European Clusters (Cluster EU 1, Cluster EU 2, Cluster EU 3, Cluster EU 4, Cluster EU 5, Cluster EU 6), US Clusters (Cluster US 1, Cluster US 2, Cluster US 3, Cluster US 4, Cluster US 5, Cluster US 6, Cluster US 7), Sandbox (Sandbox US 1, Sandbox EU 1), and APAC Clusters (Cluster APAC 1).