On December 9th, 2021 CVE-2021-44228 was announced, impacting versions 2.x of log4j (also known as log4j2). This issue was believed to be fixed in log4j 2.15.0, however on December 14th, 2021 CVE-2021-45046 was announced, and log4j 2.16.0 was released, fixing the additional exploitation vectors.
Roadie’s SaaS platform was not impacted by the log4j vulnerabilities. As a TypeScript application, we do not make use of log4j directly. While thoroughly examining our cloud environment, we determined that we are not running any impacted software in a way that is publicly available.
We have taken the following steps to ensure our infrastructure is not vulnerable:
- Audited our cloud environment to ensure we are not running log4j in any application code directly.
- Upgraded all AWS EC2 Node Groups to the latest AMI version provided by Amazon.
- Hotpatched all AWS ECS containers with the mitigations provided by Amazon.
- Audited our sub-processors to ensure they are taking steps to mitigate the vulnerability in their own software stacks.
Links to sub-processor responses:
- AWS - upgrades applied
- Auth0 - not vulnerable
- Google Analytics - not vulnerable
- Functional Software - not vulnerable
- Amplitude - upgrades applied
- Intercom - upgrades applied
Roadie’s OSS code is not impacted by the log4j vulnerabilities. As TypeScript applications, our Open Source code does not make use of log4j directly.