The É«»¢ÊÓƵ team has taken quick action in relation to resolving the vulnerability advisory related to Log4shell (CVE-2021-44228) which may affect organizations that use vulnerable versions of the Log4j package. The vulnerability is a remote code execution issue in the Apache Log4j logging services application which may affect Java applications.
During our security team’s review, malicious or suspicious activity has not been found. It has been identified as a critical vulnerability and É«»¢ÊÓƵ will continue to respond with the highest priority. Based on the investigation conducted by our security team, we have scanned for and patched known vulnerabilities.
Application É«»¢ÊÓƵs
We have completed our assessment and mitigation across our platforms. The following provides the current status against our platforms.
- É«»¢ÊÓƵ Connect The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- É«»¢ÊÓƵ Collect Not affected
- É«»¢ÊÓƵ Data Annotation É«»¢ÊÓƵ The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- Ampersand Not affected
- É«»¢ÊÓƵ Mobile Not affected
- GAP The vulnerability is mitigated by disabling the service.
- Secure Workspace Not affected
- A9 The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
Internal Infrastructure
We have identified the 27 systems in our infrastructure that had the vulnerable version of log4j package.
- Unified controller – Manages wireless access points
- 2 servers – Hypervisor, and MS Endpoint Configuration Manager server
- 23 endpoint – End user laptops
We have uninstalled them from all these devices.
É«»¢ÊÓƵ public domains
É«»¢ÊÓƵ global site and its sub domains were not affected with this Log4j vulnerability.
Ongoing monitoring
É«»¢ÊÓƵ is running continuous scans on all our systems and applications to monitor this vulnerability.
Supply Chain monitoring
Additionally, we have been proactively reaching out to our third-party service providers (suppliers) to check how are they impacted by this vulnerability and the actions taken by them.
Please reach out to security@appen.com for any questions.
FAQ
Q. Does É«»¢ÊÓƵ use or rely on products that are affected by Log4Shell / CVE-2021-44228?
Yes
Q. Do products or services that É«»¢ÊÓƵ provide to its clients require the use of or access to products affected by Log4Shell?
Yes
Q. Will this impact any product or services that É«»¢ÊÓƵ provides to its clients?
No
Q. To the extent applicable, will this impact Clients ability to access É«»¢ÊÓƵ environment or products?
No
Q. Is there any evidence that the Log4Shell vulnerability has been exploited and É«»¢ÊÓƵ’s or its customers’ data has been accessed or exfiltrated?
No
Q. Has É«»¢ÊÓƵ experienced or detected any impact to or suspicious or malicious activity in connection with products affected by Log4Shell?
No
Q. What remediation actions has É«»¢ÊÓƵ taken or does É«»¢ÊÓƵ plan to take to address Log4Shell vulnerabilities?
All the vulnerable systems have been remediated by either upgrading, uninstalling the affected Log4J version or changing the runtime properties in our environment. No malicious or suspicious activity has been found.
Q. When has É«»¢ÊÓƵ become aware of the Log4Shell vulnerability?
December 10, 2021
Q. How has É«»¢ÊÓƵ communicated the discovery and remediation of the Log4Shell vulnerability?
Through email and web post