Skip to main content
How is 8x8 addressing the Apache Log4j 2 Vulnerability? (December 2021)
8x8 Support

How is 8x8 addressing the Apache Log4j 2 Vulnerability? (December 2021)

 

Answer

At 8x8, we view customer data protection and service uptime as mission critical. 

We are aware of the recently disclosed Apache Log4j 2 vulnerability (CVE-2021-44228).

We have observed no indications that any customer data has been compromised, and remain vigilant to any events related to log4j exploits.

Immediately following the release of information about the zero-day in log4j, 8x8 launched several simultaneous actions coordinated by the security team:

  1. Security incident response teams increased scrutiny of any indicators that may be related to log4j attacks.
  2. Engineering teams began patching services that were known to be using vulnerable versions of log4j.
  3. Security and operations teams began utilizing several overlapping scanning techniques to look for exploitable servers across all of our servers, starting with externally facing and continuing to those in our private networks.
  4. Engineering teams began using several overlapping tools and techniques to determine all services that utilize vulnerable versions of log4j.

To remediate any risks discovered, we have used a combination of techniques. Ultimately we will patch all services using log4j to the latest version, but for expediency in some cases we have rendered the services unexploitable by removing certain classes and changing configurations.

Not all services utilizing a vulnerable version of log4j can be exploited or easily exploited. We have prioritized them accordingly. All services that were detected to be vulnerable to potential mass scanners were immediately remediated. Patching and remediation for other services that use log4j is ongoing as the top priority across all affected teams. Because this is a multifaceted effort, there is no single ETA for blanket remediation.

Additional Information

For more information, please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and the Apache Log4j 2 (https://logging.apache.org/log4j/2.x/index.html) post.

  • Was this article helpful?