Log4j Disclosure
Quick Answer
On December 10, 2021, the Apache Log4j zero-day vulnerability CVE-2021-44228 (Log4Shell) was publicly disclosed. DuoCircle uses Log4j inside AWS ElasticSearch for the email message logging service. Amazon issued a patch and DuoCircle applied it. A full impact assessment found no other affected components: applications, RESTful APIs, API gateways, the public website, Freshdesk support, and AWS Backup/S3 storage all tested clean. DuoCircle continues to monitor security research for related vulnerabilities and will post updates on this page if new exposure is found.
DuoCircle Security Statement: Apache Log4j Vulnerability
On Friday December 10, 2021 we observed the announcement of the unknown zero day vulnerability (CVE-2021-44228) for the commonly used logging library for Java-based software called log4j.
DuoCircle uses the Log4j in AWS ElasticSearch for our email message logging service. Amazon has issued a patch for the service and it has been applied to our system.
As a security measure, our team has conducted a full impact assessment since the vulnerability was initially documented, and we have found other component or service offered by DuoCircle to be affected.
Components analyzed and identified as secure:
- Applications, RESTful APIs, API Gateways
- DuoCircle Web (Public Website)
- DuoCircle Support (Freshdesk)
- Backup Services (AWS Backup, AWS S3)
At this moment there are no additional components that were identified as vulnerable to the exploit.
We are constantly monitoring the response of security researchers to observe the further discovery of this vulnerability and others that may arrive. Further updates will be posted on this page as necessary.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.