UPDATE: We have now confirmed all third-party vendors have been patched to address the issues currently identified in both CVE-2021-44228 and CVE-2021-45046.
A quick summary
On Dec. 9, 2021, we learned of a critical vulnerability in Log4j, a Java library from the Apache Software Foundation, described in CVE-2021-44228. A short time later, we learned of CVE-2021-45046, also implicating Log4j. ww5, like many cloud-based services, uses Log4j to process logs.
We immediately took steps to assess our infrastructure and client applications and to make updates mitigating the impact of the vulnerability. We completed our initial mitigation of CVE-2021-44228 on Dec. 13, 2021, and our mitigation for CVE-2021-45046 on December 17. As of Dec. 17, 2021, we have applied all necessary patches and mitigations to ww5’s production services vulnerable to the issues currently identified in CVE-2021-44228 and CVE-2021-45046 and we are executing our final validation steps.
Who was impacted?
We have not yet completed our impact analysis. For any vulnerability putting the ww5.com service and customer data at risk, we conduct an investigation to determine if the vulnerability was exploited by attackers to gain access to customer data. This investigation is in process for CVE-2021-44228 and CVE-2021-45046 and may take some time to complete. If we discover that any customer’s data was compromised as a result of this vulnerability, we will contact the customer without undue delay.
What’s left for ww5 to do?
We are still verifying that nothing was missed in the mitigation process, ensuring temporary mitigations are made permanent, and investigating to determine if any customer’s data was affected during the time that ww5 was vulnerable.
[Editor’s note: The status of third-party vendors has now been confirmed, see update above.] Also, we are still awaiting confirmation from some vendors that their services are fully patched. We will continue to monitor for developments related to the Log4J vulnerabilities and update our mitigations if necessary.
What do I need to do?
If applicable, we recommend that customers investigate risks related to ww5 integrations (see below). The ww5 service itself was updated on the back end. Customers do not need to update their clients, which did not use Log4j, or make any change to receive the patches and mitigations deployed to protect the ww5 service.
For those who need more details
To respond to these vulnerabilities, we inspected our servers in production, development and corporate operating environments, our code repositories, and running production processes to identify all potential uses of Log4j. We used this data to compile a list of all potentially vulnerable services and began applying patches or workarounds to mitigate the potential impact of the issue. At this time, we have mitigations in place for the ww5 service that align with the recommendations of CVE-2021-44228 and CVE-2021-45046. We are continuing to assess the potential impact of these vulnerabilities as new information is provided.
While the ww5 service and API process data using Log4j, ww5 clients for mobile and desktop were not affected by these vulnerabilities, as they do not use Log4j.
We are not able to evaluate the effect of these vulnerabilities on the service providers in our app directory. These service providers may or may not use Log4j. Please contact service providers directly for more information using the “Get support” link on the app’s listing in ww5’s App Directory.
If you have created your own integrations that interact with data in ww5 (aka, “custom integrations”), you should review the implications this may have on your own use of Log4j to ensure:
- The data that you write TO ww5 via these custom integrations is ww5’s responsibility to protect and ww5’s servers have been updated to mitigate the Log4j vulnerabilities, per information provided above.
- The data that you read FROM ww5 and deliver to your own infrastructure presents lower risk if all of the data in your ww5 workspace is from trusted sources.
- However, if any sources that you do not fully trust are posting data to your ww5 workspace, you should immediately ensure that any infrastructure you host that supports logging via Log4j has been patched and is fully up to date.
What else is there to know?
There are several good sources to provide background information about the Log4j library and its issues. For those who want more context, we recommend:
For technical questions, please reach out to members of the ww5 support team. They will be happy to create a case.
Fantastico!
Grazie mille per il feedback!
Capito!
Grazie per il feedback!
Ops! Si è verificato un problema. Riprova più tardi.