Updated December 20, 2021 due to the discovery and announcement of additional Apache Log4j vulnerabilities
In December 2021, a critical level security vulnerability was discovered in the Apache Log4j library which is commonly used in applications. This vulnerability was widely publicized by many security and technology news sources. Soon after the initial annoucement, several other additional vulnerabilities were discovered and announced.
Information about Apache Log4j security vulnerabilities can be found at this link - Apache Log4j Security Vulnerabilities
This statement includes analysis and response for the following vulnerability annoucements:
CVE-2021-44228 - Critical - Affected all versions from 2.0-beta9 to 2.14.1
CVE-2021-45046 - Critical - Affected all versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
CVE-2021-45105 - High - Affected all versions from 2.0-beta9 to 2.16.0
The exposure of the Apache Log4j security vulnerabilities to Kahua is described below:
1. Does Kahua use (or did Kahua use) the vulnerable versions of Log4j versions which affected most versions between 2.0-beta9 and 2.16.0?
Kahua has internal support services using impacted versions of the Log4j library.
2. Is Kahua aware of these vulnerabilities within or related to any systems or external technology services provided through Kahua (examples: DocuSign or Wistia)?
The Kahua platform does not expose the vulnerabilities that were discovered and announced in the above list of CVE's. The services provided to our customers were not vulnerable. A review of the logs and usage of the platform has confirmed no breach was possible and no breach occurred.
3. Has Kahua reviewed its environment to determine whether it was impacted or whether any breach occurred?
Yes, Kahua has reviewed our platform for any usage. The internal support services referenced above are the only usage.
4. Has Kahua put in patches and/or mitigating controls against these vulnerabilities?
Yes, while Kahua did not have any exposure externally, we have applied mitigating controls to the internal support services. Kahua has applied patched versions of the Apache Log4j library to the services that were running an affected versions of Apache Log4j.
5. Has Kahua assessed its security measures to ensure that it has proper measures in place to prevent, detect, and respond to these types of vulnerabilities?
Yes, Kahua's architecture prevented any issue from occurring. Our comprehensive software inventory tracking quickly let us review any potential components that could be vulnerable, and our ability to immediately apply a mitigation worked properly.
Kahua will continue to monitor our security channels as these vulnerabilities are addressed, and the scope of their impact have been identified within the industry. If we become aware of any issue that impacts our customers, whether it be from a service we utilize or other indirect impact, they will be notified immediately, and we will take the appropriate action(s) necessary to protect our customers' data.