Hint Health experienced a notice incident on December 14, 2021, lasting —. The incident has been resolved; the full update timeline is below.
Update timeline
- resolved Dec 14, 2021, 10:33 PM UTC
A zero-day vulnerability in the Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 which can be easily exploited to perform remote code execution. You can read more about this vulnerability here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 Hint's security team reviewed Hint's infrastructure and ensured that all impacted services have been patched. Hint is hosted on Aptible, and you can read about Aptible's response to Log4j here: https://status.aptible.com/incidents/gk1rh440h36s. Hint does not use Java or any Apache services to deliver our HintOS application, however we use ElasticSearch (hosted on Aptible) to store server monitoring data (e.g. cpu and memory usage). This ElasticSearch database has been patched as part of Aptible's response. The ElasticSearch instance is hosted in our private cloud and has no public endpoints. It is only accessible internally by a web service whose only public endpoint requires username and password authentication and is behind Hint's corporate VPN. Hint believes that it would not have been possible to exploit the log4j vulnerability against any of Hint's systems or customer data, however we will continue to monitor the situation.