On December 9th, the Apache Software Foundation disclosed a critical vulnerability (CVE-2021-44228) that affects the Log4j logging library. Heap has completed mitigation efforts related to this vulnerability, and our investigations have revealed no evidence of any impact to Heap.
The Critical Vulnerabilities and Exposure alert CVE-2021-44228 disclosed the existence of a 0-day exploit in certain versions of the Java logging library (Log4j). The affected versions include Apache Log4j2 2.0-beta0 through 2.12.1 and 2.13.0 through 2.15.0, when the message lookup substitution feature is enabled.
How Heap responded
Heap’s Security Team immediately began investigating its environment to identify any affected systems. After a thorough investigation, we determined that Heap’s software is not susceptible to the vulnerability. We also worked with our sub-processors and vendors to ensure that all are taking necessary measures to secure their software .
We are staying on top of further developments related to this vulnerability, and will take action as new information becomes available. At this time, we have taken all measures necessary and completed all remediations based on the information available. There is no action required from Heap customers.
Keeping our customers’ data safe is our number one priority. We’re actively monitoring this issue and will continue to take all steps necessary to mitigate it.