BlueConic incident

Update on Log4j vulnerability (CVE-2021-44228) and BlueConic

Notice Resolved View vendor source →

BlueConic experienced a notice incident on December 12, 2021 affecting Cluster EU 1 and Cluster US 1 and 1 more component, lasting 11d 17h. The incident has been resolved; the full update timeline is below.

Started
Dec 12, 2021, 04:47 PM UTC
Resolved
Dec 24, 2021, 10:14 AM UTC
Duration
11d 17h
Detected by Pingoru
Dec 12, 2021, 04:47 PM UTC

Affected components

Cluster EU 1Cluster US 1Sandbox US 1Cluster APAC 1Cluster EU 2Cluster US 2Cluster EU 3Cluster US 3Sandbox EU 1Cluster US 4

Update timeline

  1. identified Dec 12, 2021, 04:47 PM UTC

    BlueConic became aware of the log4j vulnerability on Friday, December 10, 2021 at 8a CET. Our security team immediately started investigating to what extent the BlueConic services would be vulnerable. From the investigation, two parts of the software were identified which are using vulnerable log4j components. Neither component was handling user input directly and we assessed the risk of abuse of the vulnerability considered lower than critical. Overnight Saturday, December 11, patches were deployed resolving the vulnerability. We will continue to monitor news updates on this vulnerability to ensure the continued protection of our customers’ data and availability of the BlueConic services.

  2. monitoring Dec 15, 2021, 02:01 PM UTC

    On Tuesday, December 14, 2021, 10pm CET, a new vulnerability for log4j was reported (CVE-2021-45046). Our security team investigated if the BlueConic services were vulnerable to this issue, and the team concluded with a high probability that the BlueConic services had no exposure. To further ensure that there will not be any exposure to the vulnerability, we have proactively patched the two components using log4j to version 2.16.0.

  3. monitoring Dec 19, 2021, 08:06 AM UTC

    On Saturday, December 18, 2021, 10pm CET, a new vulnerability for log4j was reported (CVE-2021-45105). Our security team investigated if the BlueConic services were vulnerable to this issue and have patched the two components proactively using log4j to version 2.17.0 when the new version became available.

  4. resolved Dec 24, 2021, 10:14 AM UTC

    Since the previous update on December 19, our security team continued to monitor news updates. No new vulnerabilities on log4j were reported. We are confident that with applying the latest version (2.17.0) the vulnerabilities are resolved and the incident can be closed. We will continue to monitor relevant sources for new information and will create a new incident if necessary.