This document aims to update the impact of Apache Log4j vulnerability on the Apty product line. Please know, our incident response team is continuously monitoring and evaluating the log4j vulnerability issue. Should we notice that any Apty product could potentially be vulnerable, we will waste no time in notifying all affected customers, along with any required configuration changes or updates.
What happened on 9th December 2021?
Last week, we, along with the rest of the tech community, received reports of Log4j vulnerabilities. On Thursday, December 9, 2021, Apache publicly disclosed the CVE-2021-44228 vulnerability aka the ‘log4shell’ vulnerability. If exploited, the attacker could potentially perform remote code execution (RCE) on the server. This vulnerability is already affecting several companies across the globe.
What has Apty been doing?
At Apty, we take the security of our product and customer data very seriously. As soon as the reports of log4shell emerged, Apty’s incident response team promptly launched an investigation to find and evaluate the use of Log4j utility across our services, systems, and applications.
How does it impact Apty Products?
Our immediate investigation has not identified any direct exposure to the log4j vulnerability that could impact the safe use of our products. We neither have any Java-based applications nor use log4j as our logging framework. Although, we discovered that some of the external services that we use to deliver our product to end-users use log4j.
What is the mitigation status from external services?
Our team has constantly been in touch with the external service providers to ensure that they are taking preventive measures as well as using patches to mitigate any potential log4j vulnerability. The majority of them have already mitigated the same. But we are yet to hear from a small subset of the services providers on this issue. We will update this document as soon as we hear from them.
Update
Earlier, the Apty incident response team has audited all third-party service providers for updates on their security status regarding the log4j vulnerability. We are awaiting confirmation from one third-party service provider to complete this investigation. As we gather more information on that, we will add it here.
Resolved
This issue is resolved as we have completed our final investigation and follow-ups with third-party service providers. All systems are updated and mitigations are in place.