The É«µ¼º½ team has taken quick action in relation to resolving the vulnerability advisory related to Log4shell (CVE-2021-44228) which may affect organizations that use vulnerable versions of the Log4j package. The vulnerability is a remote code execution issue in the Apache Log4j logging services application which may affect Java applications.
During our security team’s review, malicious or suspicious activity has not been found. It has been identified as a critical vulnerability and É«µ¼º½ will continue to respond with the highest priority. Based on the investigation conducted by our security team, we have scanned for and patched known vulnerabilities.
Application Platforms
We have completed our assessment and mitigation across our platforms. The following provides the current status against our platforms.
- É«µ¼º½ Connect The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- É«µ¼º½ Collect Not affected
- É«µ¼º½ Data Annotation Platform The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- Ampersand Not affected
- É«µ¼º½ Mobile Not affected
- GAP The vulnerability is mitigated by disabling the service.
- Secure Workspace Not affected
- A9 The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
Internal Infrastructure
We have identified the 27 systems in our infrastructure that had the vulnerable version of log4j package.
- Unified controller – Manages wireless access points
- 2 servers – Hypervisor, and MS Endpoint Configuration Manager server
- 23 endpoint – End user laptops
We have uninstalled them from all these devices.
É«µ¼º½ public domains
É«µ¼º½ global site and its sub domains were not affected with this Log4j vulnerability.
Ongoing monitoring
É«µ¼º½ is running continuous scans on all our systems and applications to monitor this vulnerability.
Supply Chain monitoring
Additionally, we have been proactively reaching out to our third-party service providers (suppliers) to check how are they impacted by this vulnerability and the actions taken by them.
Please reach out to security@appen.com for any questions.
FAQ
Q. Does É«µ¼º½ use or rely on products that are affected by Log4Shell / CVE-2021-44228?
Yes
Q. Do products or services that É«µ¼º½ provide to its clients require the use of or access to products affected by Log4Shell?
Yes
Q. Will this impact any product or services that É«µ¼º½ provides to its clients?
No
Q. To the extent applicable, will this impact Clients ability to access É«µ¼º½ environment or products?
No
Q. Is there any evidence that the Log4Shell vulnerability has been exploited and É«µ¼º½â€™s or its customers’ data has been accessed or exfiltrated?
No
Q. Has É«µ¼º½ experienced or detected any impact to or suspicious or malicious activity in connection with products affected by Log4Shell?
No
Q. What remediation actions has É«µ¼º½ taken or does É«µ¼º½ plan to take to address Log4Shell vulnerabilities?
All the vulnerable systems have been remediated by either upgrading, uninstalling the affected Log4J version or changing the runtime properties in our environment. No malicious or suspicious activity has been found.
Q. When has É«µ¼º½ become aware of the Log4Shell vulnerability?
December 10, 2021
Q. How has É«µ¼º½ communicated the discovery and remediation of the Log4Shell vulnerability?
Through email and web post