Product News

Security Update: Zero-day in the Log4j Java library (CVE-2021-44228)

Martin Rues's Avatar

Martin Rues

CISO

Outreach is aware of this vulnerability and continuously monitoring the situation. This is an informational update to communicate that Outreach is not impacted by this vulnerability. Our security team is tracking future developments.

Summary

CVE-2021-44228, A RCE vulnerability was discovered on Dec 9th and has been given the maximum CVSS score of 10. This impacts anyone using Log4j java library 2.14.1 and earlier. Log4j’s JNDI support has fixed the vulnerability in Log4j 2.15.0. If you are currently using a vulnerable version, we recommend you upgrade immediately.

Is Outreach impacted?

We have completed our investigation and determined that Outreach has not been impacted by this vulnerability. We have also determined that our sub-processors are either unaffected or have remediated the vulnerability.

What is Outreach Security doing?

Prevention: Outreach’s network security controls have enabled deny actions for any attack traffic toward this vulnerability where possible.

Detection: Outreach’s threat detection instrumentation is updated to alert attack traffic near real time. The Security Detection & Response team also has initiated an advanced threat hunting activity.

Response: Even though Outreach is not impacted, Outreach Security is continuing to monitor the situation. We are scanning our environment for any supply chain vulnerabilities and will respond immediately as discovered.

Protecting our customers and their data from malicious activity is a top priority for Outreach. Our customers are encouraged to visit our Trust page to learn more about how Outreach protects customer data.

Last updated:
Friday, December 17, 2021