On Thursday, December 9th, the Apache Foundation announced a critical vulnerability in the widely used Log4j2 Java library that could be exploited by remote attackers. This vulnerability was given the CVE identifier CVE-2021-44228.
Dimensional Insight software and cloud environment are not vulnerable.
This message is to assure you that (1) we’re not vulnerable, and (2) we take this sort of problem very seriously and have addressed it, auditing both our software and our hosted environments.
Management Summary
The Java components in the Diver software do not make use of Apache Log4J. As such this vulnerability has no impact on our software or services. This applies to our hosted services as well as on premise installations. You do not need to take any further actions regarding your standard Diver installations.
Background
On Thursday, December 9th a critical vulnerability was published regarding Apache Log4J 2, a Java-based logging tool. This vulnerability could expose affected computer systems to attackers. You can find more information here: National Vulnerability Database
As Java tooling is relatively common, the impact is potentially substantial. Some of our customers are understandably concerned about this and want to verify that their systems are safe.
Advice
There is no need to take further action for your Diver software; our Java components use a different logging mechanism and as such are not impacted unless you have configured Apache Log4J 2 on your Diver installations – we do not know of any customers who have done this. Dimensional Insight does not use Apache Log4J on its own hosted services.
We advise all our customers to check their other computer systems for the use of Apache Log4J and take corrective actions where appropriate.
Information Security Team, Dimensional Insight