Update: Zero-day vulnerability in the Log4j Java library

Update timeline

1. resolved Dec 14, 2021, 08:36 PM UTC

   Customers on Welkin Health v7: v7 does not utilize Apache Log4j. Welkin Health v7 uses different logging technology. Customers on Welkin Health v8: Thank you for your continued patience and support; as we continue to monitor the situation, but we have determined the following: Welkin Health service: 1. We do not use Log4J directly. 2. At this point, we believe the service is not vulnerable as we leverage a framework and utilize a Java version that mitigates the vulnerability. We are continuing to monitor all possibilities. 3. Additionally, we have controls and rules on a network level that render this vulnerability less likely to be exploited. 4. Out of an abundance of caution, we released an update on Saturday, December 11, 2021 around 1:20 AM to upgrade logging versions to the latest release Relevant Information: To learn more about the vulnerability: * https://nvd.nist.gov/vuln/detail/CVE-2021-44228 * https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228 * https://logging.apache.org/log4j/2.x/security.html Thank you again, and we will continue to provide updates as required. If you have any additional questions or concerns, please open a case using our support systems or email to ([email protected]). Internal reference number: SIM-8