Log4j Zero Day Vulnerability Update – 12.14.2021 5:00 pm MST
Crownpeak is actively monitoring the Log4j2 Zero Day Vulnerability disclosed
on December 9, 2021 (CVE-2021-44228). Log4j2 affects the Apache Log4j 2
project and any systems which have deployed the library into an application.
Our operations team performed a comprehensive review of internal systems
and support applications to update or patch any affected systems. Updates
on the review results have been posted to this thread. We continue to
actively monitor the situation.
The majority of Crownpeak’s products were not affected by the Log4j2 Zero Day
Vulnerability, as they are not written in Java, or do not use the Log4j library. The
small subset of Crownpeak’s product components which leverage the Log4j library
were affected have been identified and patched to eliminate the risk of exploit.
Specific product details are listed below. Crownpeak will be continuing to monitor
our systems as well as third party components related to this situation closely and
report any additional updates.
DXM – Hybrid Headless CMS
- No exposure in the Windows hosting environment
- The core Java install on standard Linux hosting environments was not
affected. The operations team has completed a full review of the
customer systems and resolved any affected systems.
- A content update queuing service was affected and has been patched
- A third party java based monitoring agent deployed on a small number
of systems in Linux environments was affected and has been patched
- Continue to monitor hosting systems and third-party components as related to this situation
- No evidence of exploitation has been observed
Products Unaffected by Log4j Vulnerability
- Web Content Management (CMS)
- Web Content Optimization (WCO) personalization
- Dynamic API Content Delivery (SearchG2)
- Cloud Website Hosting Services: Windows .Net