DuoCircle Security Statement: Apache Log4j Vulnerability
On Friday December 10, 2021 we observed the announcement of the unknown zero day vulnerability (CVE-2021-44228) for the commonly used logging library for Java-based software called log4j.
DuoCircle uses the Log4j in AWS ElasticSearch for our email message logging service. Amazon has issued a patch for the service and it has been applied to our system.
As a security measure, our team has conducted a full impact assessment since the vulnerability was initially documented, and we have found other component or service offered by DuoCircle to be affected.
Components analyzed and identified as secure:
- Applications, RESTful APIs, API Gateways
- DuoCircle Web (Public Website)
- DuoCircle Support (Freshdesk)
- Backup Services (AWS Backup, AWS S3)
At this moment there are no additional components that were identified as vulnerable to the exploit.
We are constantly monitoring the response of security researchers to observe the further discovery of this vulnerability and others that may arrive. Further updates will be posted on this page as necessary.