Log4j Zero Day Vulnerability Update – 12.14.2021 5:00 pm MST
Crownpeak is actively monitoring the Log4j2 Zero Day Vulnerability disclosed
on December 9, 2021 (CVE-2021-44228). Log4j2 affects the Apache Log4j 2
project and any systems which have deployed the library into an application.
Our operations team performed a comprehensive review of internal systems
and support applications to update or patch any affected systems. Updates
on the review results have been posted to this thread. We continue to
actively monitor the situation.
The majority of Crownpeak’s products were not affected by the Log4j2 Zero Day
Vulnerability, as they are not written in Java, or do not use the Log4j library. The
small subset of Crownpeak’s product components which leverage the Log4j library
were affected have been identified and patched to eliminate the risk of exploit.
Specific product details are listed below. Crownpeak will be continuing to monitor
our systems as well as third party components related to this situation closely and
report any additional updates.
DQM – Digital Quality Management
- System required patching due to inclusion in certain internal
components
- Updates and patches to the components have been completed and
verified
- No evidence of exploitation has been observed