CustomerSuccessBox is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that you rely on CustomerSuccessBox security measures for your data confidentiality, integrity and availability.
Once this vulnerability became aware of this vulnerability, CustomerSuccessBox began an internal review of all our software and infrastructure to determine potential impact. CustomerSuccessBox product itself does NOT use Log4j2 as a logging tool. Thus far, while our exposure to the vulnerability has been minimal, we began to put remediations in place through a combination of software updates and systems hardening.
We are continuously monitoring the situation as new information becomes available.
What is Log4j2?
Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.
Log4j is a Java library by Apache used to log debug messages within applications. It’s recently been featured in news outlets around the world due to a vulnerability (known as Log4 Shell) that was discovered allowing remote code execution using a specific string.
Was CustomerSuccessBox affected?
CustomerSuccessBox product does NOT use Log4j2 as a logging tool. Further in our reviews we have found NO indication of any past compromise on any of our systems or subsystems.
CustomerSuccessBox has taken a number of steps to identify and mitigate any risk. We have implemented:
- Full scans of all production services to identify any dependency on the Log4j2 library. CustomerSuccessBox product uses a different technology stack and does not rely on the Log4j2 library.
- Patched and hardened systems and subsystems to help prevent exploitation attempts
- Performed additional vulnerability scans on CustomerSuccessBox systems
What about CustomerSuccessBox sub-processors?
CustomerSuccessBox’s most important sub-processors hosting customer production data are Amazon Web Services and Microsoft Azure were either not vulnerable, or have already begun patching the vulnerability across their networks.
We are also continuously monitoring the responses of sub-processors of the CustomerSuccessBox product to this exploit. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.
Do you need to take any action?
We will continue to be watchful of any potential exposure to this vulnerability and will alert our customers as required. At this time, CustomerSuccessBox customers do not need to take any action related to their use of CustomerSuccessBox software.
If you have specific questions related to this event, please contact CustomerSuccessBox Support.