Log4j Vulnerability - No impact on the Mindtickle Platform
Incident Report for Mindtickle, Inc.
We have proactively upgraded all of our log4j library instances to 2.17.1 which remediates CVE-2021-45046, a 'High' severity Denial of Service (DoS) vulnerability that affects log4j 2.16.0 tracked under CVE-2021-45105 and a 'Medium' severity remote code execution (RCE) vulnerability that affects log4j 2.17.0 tracked under CVE-2021-44832.
Posted Dec 18, 2021 - 04:10 PST
We are aware of the 0-day vulnerability "Log4Shell" discovered in the Java logging library log4j (version 2) that tries to exploit Remote Code Execution (RCE). This vulnerability is available to track under CVE-2021-44228.

Mindtickle uses the log4j library; however, we have assessed our libraries and can confirm that we are not affected by this vulnerability. We are using the most up-to-date version of the JDK, and the attack vector does not work on the software version combination of log4j and JDK that we are using.

Additionally, as a proactive step, we have upgraded all of the log4j libraries to the recommended version 2.15.0. No action is required from your end.

Please feel free to reach out to infosec@mindtickle.com if you have any further questions about this.
Posted Dec 14, 2021 - 22:20 PST