All Collections
Security Bulletins
No exposure to recent Log4J vulnerability
No exposure to recent Log4J vulnerability

Since the Log4J vulnerability news broke, Ulobby has been reviewing our platform for potential exposure.

Bertel Torp avatar
Written by Bertel Torp
Updated over a week ago

And at this time, we see no direct impact on the Ulobby Platform. We will continue to monitor and investigate the situation.

What is the vulnerability?

  • On Friday, December 10th, a zero-day vulnerability, affecting a widely utilized open-source logging tool, that is part of Apache Logging Services called Log4j, impacted a meaningful subset of the software industry.

  • With this vulnerability, for those affected, it is possible that an attacker may be able to gain access and control the log messages or parameters of LDAP or other Java Naming Directory Interface (JNDI) and subsequently could attempt to execute code loaded from remote servers.

Is Ulobby impacted?

  • Upon becoming aware of the vulnerability, Ulobby initiated an investigation to determine if any further action is require to mitigate against the vulnerability. This investigation, has at this time, found no indication of compromise, and there is no action required for Ulobby customers

  • To improve detection and mitigation of risks arising from the issue our security partner Cloudflare implemented firewall rules at 2021-12-10 09:13 UTC to inspect uri, request body, and commonly used headers to add an additional layer of defence.

  • UPDATED 2021-12-15 13:32 UTC: We have concluded our review of our systems and Ulobby does not use Log4j in any systems that handle client data. There is no known impact to Ulobby's products or services as a result of this vulnerability. We will continue working with vendors and partners to determine if any of our supporting systems have been impacted (ex. billing, payroll support-ticketing etc.)

  • UPDATED 2021-12-21 15:03 UTC: We have concluded our review of vendors and partners and while no systems that handle our customers data is impacted a vendors that provide Ulobby with supporting services (our payroll system) have reported to have used log4j and has confirmed that the affected systems are patched. Other vendors that does not not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity have patched and/or upgraded in accordance with guidelines from Elastics latest updated dated 19th of december: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Do I need to do anything?

  • Customers do not need to take any action.


โ€‹

We will continue to evaluate this matter, and if we determine Ulobby or our customers are impacted going forward, we will take all appropriate measures to help protect our customers and provide additional communications. We appreciate your trust in us as we continue to make your success our top priority.

Did this answer your question?