Originally Posted Dec 10, 2021 @ 5:35pm CT
Workiva is aware of the Apache Log4j2 CVE (CVE-2021-44228), and will continue to investigate the situation as it evolves.
Workiva utilizes the log4j2 library in some components of the Workiva Platform. We have patched and deployed fixed versions of the library to our production environment. Additionally, we are working with our vendors and partners to identify any potential upstream impact.
Workiva takes the safety and security of our customers' data seriously. As we continue to monitor the situation, if we determine there is any impact to the Workiva Platform, we will take all appropriate measures to help protect our customers.
Update: Dec 16, 2021 @ 4:17pm CT
Due to the newly reported vulnerability with the 2.15 version of log4j (CVE-2021-45046), Workiva has patched our usage of the library to the 2.16 version across all environments. We continue to work with our third-parties to identify and mitigate any upstream impact.
To date, there has been no impact to our platform or customer data. If that changes, we will notify affected customers without any undue delay.
Update: Dec 22, 2021 @ 9:21am CT
Due to the newly reported vulnerability with the 2.16 version of log4j (CVE-2021-45105), Workiva has patched our internal usage of the library to the 2.17 version across all environments. Workiva is working with our third-parties to ensure we have updated versions of their software available and deployed in our environment by December 24th.
To date, there has been no impact to our platform or customer data. If that changes, we will notify affected customers without any undue delay.
Update: Jan 12, 2022 @ 8:33am CT
Workiva systems were fully patched to Log4j2 2.17 as of December 24th, 2021. Although Workiva has investigated and determined that we are not vulnerable to the newest CVE (CVE-2021-44832), we are additionally patching all systems to 2.17.1 under our standard patching timelines.
We continue to work with our third-parties to identify and mitigate any upstream impact.
Update: March 29, 2022 @ 3:53pm CT
Workiva has patched our usage of the library, and updated third-party provided software, to log4j 2.17.1 across all environments.
To date, there has been no impact to our platform or customer data. If that changes, we will notify affected customers without any undue delay.