At 8x8, we view customer data protection and service uptime as mission critical.
We will continue to monitor the Apache Log4j 2 vulnerability (CVE-2021-44228).
We have observed no indications that any customer data has been compromised, and remain vigilant to any events related to log4j exploits.
Immediately following the release of information about the zero-day in log4j, 8x8 launched several simultaneous actions coordinated by the security team:
- Security incident response teams increased scrutiny of any indicators that may be related to log4j attacks.
- Engineering teams began patching services that were known to be using vulnerable versions of log4j.
- Security and operations teams began utilizing several overlapping scanning techniques to look for exploitable servers across all of our servers, starting with externally facing and continuing to those in our private networks.
- Engineering teams began using several overlapping tools and techniques to determine all services that utilize vulnerable versions of log4j.
To remediate any risks discovered, we have used a combination of techniques. Ultimately we will patch all services using log4j to the latest version, but for expediency in some cases we have rendered the services unexploitable by removing certain classes and changing configurations.
Not all services utilizing a vulnerable version of log4j can be exploited or easily exploited. We have prioritized them accordingly. All services that were detected to be vulnerable to potential mass scanners were immediately remediated. Remediation for other affected services is complete, and patching across all systems is ongoing. Similar to other ubiquitous vulnerabilities this vulnerability will be monitored for continuously.
For more information, please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and the Apache Log4j 2 (https://logging.apache.org/log4j/2.x/index.html) post.