Roadie's response to recent log4j vulnerabilities
By David Tuite • December 22nd, 2021
Roadie is not impacted by the log4j vulnerabilities, CVE-2021-44228 or CVE-2021-45046, also known as log4shell.
On December 9th, 2021 CVE-2021-44228 was announced, impacting versions 2.x of log4j (also known as log4j2). This issue was believed to be fixed in log4j 2.15.0, however on December 14th, 2021 CVE-2021-45046 was announced, and log4j 2.16.0 was released, fixing the additional exploitation vectors.
Roadie is written in TypeScript and JavaScript and therefore does not make use of the Java logging library, log4j or the Java Virtual Machine. There is one component in our stack, PlantUML, which is written in Java, but it does not make use of log4j.
SaaS
Roadie’s SaaS platform was not impacted by the log4j vulnerabilities. As a TypeScript application, we do not make use of log4j directly. While thoroughly examining our cloud environment, we determined that we are not running any impacted software in a way that is publicly available.
We have taken the following steps to ensure our infrastructure is not vulnerable:
- Audited our cloud environment to ensure we are not running log4j in any application code directly.
- Upgraded all AWS EC2 Node Groups to the latest AMI version provided by Amazon.
- Hotpatched all AWS ECS containers with the mitigations provided by Amazon.
- Audited our sub-processors to ensure they are taking steps to mitigate the vulnerability in their own software stacks.
Links to sub-processor responses:
- AWS - upgrades applied
- Auth0 - not vulnerable
- Google Analytics - not vulnerable
- Functional Software - not vulnerable
- Amplitude - upgrades applied
- Intercom - upgrades applied
Open Source
Roadie’s OSS code is not impacted by the log4j vulnerabilities. As TypeScript applications, our Open Source code does not make use of log4j directly.