SheerID Response To Log4j Vulnerability
On December 9, 2021, a vulnerability for Log4j was publicly released. Log4j is a commonly used logging library made by the Apache Software Foundation that is used in countless applications across the world. Because attackers have been trying to exploit the vulnerability, it has become a worldwide problem. Since we became aware of this vulnerability, we have been evaluating SheerID applications and systems to determine if any are potentially vulnerable to this exploit.
No Impact To SheerID Clients
The SheerID information security and engineering teams have confirmed that all of its critical applications and services that access customer data either have been upgraded or do not use a vulnerable version of this popular logging library. No client verification data has been lost or impacted as a result of this vulnerability.
What We Are Doing
Our information security and engineering teams have assessed any potential impacts of this vulnerability on a service-by-service basis, prioritized by criticality and risk levels. Using dependency management configurations, we have inventoried services that use Log4J as a direct or transitive dependency, and have confirmed there is no exploit present. In addition, we are working with our integrated service providers to ensure their solutions have been remediated accordingly.
We have observed attempts to exploit this vulnerability, but have not observed any successful exploitation in our environment.
We Continue To Monitor The Situation
We have determined that there is no impact on systems that contain customer data. We will continue to assess lower-risk services this week and mitigate any vulnerable systems, either by upgrading to a patched version of the library or configuring the JVM to disallow lookups, by 12/17/2021.
If you are a client with questions or concerns, please reach out to your SheerID Customer Service Manager. We will provide updates to this page as needed.