Summary
We take the Log4j vulnerability very seriously. Uptrend’s own software does not contain the reported vulnerability and we found no evidence that an attack has taken place or could take place. We have concluded our investigation.
Detailed explanation
Uptrends is aware of the recently discovered software vulnerability known as Log4shell, or more formally as CVE-2021-44228, which is related to certain versions of a Java software library called Apache Log4j. The formal announcement about the vulnerability can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228. More reference material is available on Apache’s own site at https://logging.apache.org/log4j/2.x/index.html.
We have finished investigating the Uptrends software and services we provide to assess whether they were affected by this security issue. The current situation is as follows:
- The software developed and operated by Uptrends does not run on Java. The Log4j library is not included in our own software. This includes software that runs on our own platform, and software published by Uptrends that runs on devices owned by our users.
- We have no indication that other libraries that may have been derived from Log4j are affected. The vendor of our vulnerability scanning software is aware of the vulnerability and no affected components were found. We will continue to monitor for any updates in this area. Additionally, the software and tools we use to build our own software have been scanned and do not contain the vulnerability.
- We have investigated whether there is evidence to suggest that unauthorized access or activity has taken place on our network. No malicious activity has been detected. We observed that some legitimate software scanning companies were conducting some research to find a possible attack vector in our public software. This revealed no vulnerabilities on our side.
- We have scanned third-party software used internally for various processes. Only a small number of possible targets were found and patches were applied immediately. No evidence of suspicious activity has been found.
- We asked about any affected third-party software that was used directly for our operations. We have no indications of this. Our product services – including monitoring, reporting and alerting, as well as our support services – have continued to run without interruption.
In conclusion, remedial work is not considered necessary.
Leave a Reply