Our Product Roadmap is now public. Check it out here!

Log4j Security Response - Squadcast is not affected by RCE Vulnerability

December 16, 2021
Share this post:
Log4j Security Response - Squadcast is not affected by RCE Vulnerability
December 16, 2021
Share this post:
Squadcast way to resolve Incidents
Subscribe to our latest updates
Enter your Email Id
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

We at Squadcast firmly believe that the security of our platform and the data of our customers is of utmost importance. And we are transparent about any incident, especially if it threatens our security. To that end, we wanted to provide an update on the recently discovered zero-day vulnerability in the Java logging library - Log4j.

What happened?

On December 9, 2021, Apache publicly disclosed a remote code execution (RCE) vulnerability (CVE-2021-44228) in its popular Java logging library, Log4j. Since we do not use Log4j, Squadcast is not directly affected by the vulnerability. However, we’re auditing our integrations with critical vendors to ensure that there is no indirect impact.

Our Findings

Our own infrastructure is not vulnerable and hence, our platform is not impacted by this vulnerability. You can continue to use Squadcast and need not take any action for this vulnerability. One of our cloud-based vendors - Elasticsearch was vulnerable, but they've patched it as well.

Additionally, Squadcast is not a Java shop, so we do not use either of our notification providers' - Twilio's or Plivo's Java libraries. Even if either of them are affected by the vulnerability, it does not impact us as a Twilio/Plivo client.

Next steps

We’re continuously following up with our critical vendors to ensure that they’re applying the appropriate patches to their systems if they’re impacted by the vulnerability. As of today, we do not see any impact with our critical vendors as well. We are continuing to monitor this issue and will determine whether additional actions are required and update this blog accordingly.

For more information about our vendors, visit this page which has all the details about the Sub-processors of Squadcast.

Update: 17 Dec 2021

In the below table you can find the list of our vendors and their vulnerability status as of 17th Dec 2021. This table will be further updated on a regular basis.

Product / Vendor Vulnerable Status Additional details
Squadcast No Safe
Squadcast Jira Plugin Yes Patched, Safe https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
Twilio Yes Patching in Progress https://www.twilio.com/blog/response-log4j-vulnerability
Plivo No Safe
Google Cloud Platform No Safe The product and versions being used by Squadcast are not vulnerable.

https://cloud.google.com/log4j2-security-advisory
Amazon Web Services Yes Patched, Safe https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
Stripe Yes Patched, Safe https://support.stripe.com/questions/update-for-apache-log4j-vulnerability-(cve-2021-44228)
Chargebee No Safe Confirmed by vendor.
Hubspot No Safe https://www.hubspot.com/log4j2
Intercom Yes Patched, Safe https://www.intercomstatus.com/incidents/ss5hp81rhv1l?u=70vbc0dstm47
LogDNA No Safe Confirmed by vendor.
LogRocket Unknown Unknown We have reached out to the vendor for more details.
Slack Yes Mitigation in place, patching in progress https://help.salesforce.com/s/articleView?id=000363736&type=1
Segment.io - - Not using it anymore.
Mixpanel No Safe https://community.mixpanel.com/data-management-10/log4j-vulnerability-6006
MongoDB Yes, only Atlas search Patched, Safe https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb
Mailchimp Unknown Unknown We have reached out to the vendor for more details.
Zendesk Yes Mitigation in progress https://support.zendesk.com/hc/en-us/articles/4413583476122
OneSignal No Safe https://onesignal.com/blog/onesignal-is-not-impacted-by-lo/
Userflow Unknown Unknown We have reached out to the vendor for more details.
Mailgun Yes Patched, Safe https://status.mailgun.com/
ElasticSearch Yes Patched, Safe https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Written By:
December 16, 2021
December 16, 2021
Share this post:
Related Content
Squad Talks: Madhu Kumar
Squad Talks: Madhu Kumar
May 24, 2019
Using a Status Page in your Incident response process
Using a Status Page in your Incident response process
January 10, 2020
How to avoid on-call burnout
How to avoid on-call burnout
December 20, 2019
Experience the Journey from
On-call to SRE
Experience the Journey from On-call to SRE
Squadcast - On-call shouldn't suck. Incident response for SRE/DevOps, IT | Product Hunt Embed
Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Incident Management on G2 Users love Squadcast on G2 Squadcast is a leader in Incident Management on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2
Squadcast - On-call shouldn't suck. Incident response for SRE/DevOps, IT | Product Hunt Embed
Squadcast is a leader in Incident Management on G2 Squadcast is a leader in Incident Management on G2 Users love Squadcast on G2
Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2
Squadcast is a leader in IT Service Management (ITSM) Tools on G2 Squadcast is a leader in IT Service Management (ITSM) Tools on G2
Copyright © Squadcast Inc. 2017-2021