On December 9, 2021, Apache disclosed that the Log4j library version 2.14.1 and prior contains a critical vulnerability which allows for unauthenticated Remote Code Execution (RCE). This vulnerability is being tracked under CVE-2021-44228 and colloquially known as Log4Shell or LogJam.
The Skuid Information Security team has conducted an analysis of its product, business systems and sub-processors and has made the following determinations:
- The Log4j library is NOT used in the Skuid code base or any of its dependencies.
- All instances of Log4j in Skuid business systems have been patched as of 12/13/2021.
- Logs for affected business systems have been inspected and no breach, system compromise, or data leak occurred.
- Impact to sub-processors of Skuid Customer data has been evaluated and as of 12/14/2021 there is no known breach, system compromise, or data leak which would affect Skuid customers.
The Skuid Information Security team will continue to monitor this situation and will notify any affected customer in the event that there is a known risk to the confidentiality or integrity of their data.
For more information, please see the links below:
Skuid Managed Package Customers: https://status.salesforce.com/generalmessages/826
Skuid Managed Cloud Customers: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/