On December 10th, 2021 news broke of a serious zero-day remote code execution exploit in log4j - CVE-2021-44228, the most popular java logging framework used by Java software far and wide.
This affects anyone using log4j to perform logging, and anyone using software that uses log4, which represents a large population of enterprise Java software currently available.
Many of our client's internal security teams have reached out to us asking if any of Catchpoint's products use log4j, or if we have otherwise been impacted by this vulnerablity.
The following is Catchpoint's official statement regarding this vulnerablity.
To whom it may concern:
Catchpoint is aware of and is carefully monitoring the news regarding the log4j zero-day vulnerability(CVE-2021-44228).
We have verified that our production infrastructure does not use log4j. We have confirmed this through both manual inspection and vulnerability scanning.
To our knowledge, customer production data for both Catchpoint and WebPageTest is not at risk as a result of this vulnerability. We are continuing to monitor the situation and following our Incident Response Plan guidelines to ensure that the proper process is followed.
Our vendor contracts flow down these Incident Response requirements to any vendors who come into contact with customer data, and we are currently working with relevant vendors to confirm that their infrastructure is not vulnerable. We will update this letter once all such vendor impact has been verified.
Our Security Operations Center (SOC) is monitoring for unusual traffic patterns. This, in conjunction with our ongoing security scanning and reviews, will continue to protect our customers from known threats such as this one.
For any further questions regarding this situation please reachout to Catchpoint Support (support@catchpoint.com), or to your Customer Success Manager.