Falcony incident

Log4j2 vulnerability (CVE-2021-44228)

Notice Resolved View vendor source →

Falcony experienced a notice incident on December 13, 2021 affecting Falcony and audits.io, lasting 43d 23h. The incident has been resolved; the full update timeline is below.

Started
Dec 13, 2021, 09:56 AM UTC
Resolved
Jan 26, 2022, 09:09 AM UTC
Duration
43d 23h
Detected by Pingoru
Dec 13, 2021, 09:56 AM UTC

Affected components

Falconyaudits.io

Update timeline

  1. investigating Dec 13, 2021, 09:56 AM UTC

    At Plan Brothers, Trust is our #1 value, and we take the protection of our customers’ data very seriously. We are aware of the recently disclosed Apache Log4j2 vulnerability (CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228). Our services own codebase does not use Log4j2. We are actively monitoring this issue, and seeing if this affects any of our subprocessors.

  2. monitoring Dec 14, 2021, 08:39 AM UTC

    We have identified that our sub processor Amazon Web Services (AWS) had their S3 service affected by the Log4J vulnerability. The vulnerability has been fully patched by AWS. Related AWS incident: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/. AWS S3 is used for hosting attachments in both incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data. We are still actively monitoring this issue, and seeing if this affects any additional sub processors.

  3. monitoring Dec 17, 2021, 11:26 AM UTC

    We have identified that two additional sub processors have been affected by the Log4J vulnerability: - Mailgun, see https://status.mailgun.com/ - Postmark, see https://postmarkapp.com/updates/update-on-the-recent-log4j-vulnerability Both services have patched the vulnerability. Mailgun and Postmark are used for email delivery in incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data. We are still monitoring if the issue affects any additional sub processors.

  4. monitoring Jan 26, 2022, 09:08 AM UTC

    We have identified that our sub processor Amazon Web Services (AWS) had their RDS service affected by the Log4J vulnerability. The service has been updated to mitigate the issues identified in CVE-2021-44228. Amazon RDS is used for BI integrations in both incy.io and audits.io. We're not aware of any exploits of the vulnerability, or unauthorized access of data.

  5. resolved Jan 26, 2022, 09:09 AM UTC

    We've identified all of our subprocessors that were affected by this incident. All related services have been patched, and this incident is now resolved.