What’s the issue?
Over the weekend, news started to break about a high severity security vulnerability in the Java-based Log4j logging framework. This vulnerability can potentially give an untrusted source the ability to perform Remote Code Execution (RCE) on a vulnerable system device by sending it a malicious payload (a specially crafted string of characters). This type of vulnerability is particularly serious because it could lead to a complete compromise of the target system.
Does this impact Dotdigital?
At Dotdigital, we don’t use Java to build our software. Therefore, our SaaS products are not impacted by this vulnerability.
However, we’ve formed a team to assess the products and services used around our business and have taken some precautionary steps based on vendor recommendations. In addition, we’re contacting all of our critical suppliers to assess any potential impact on our supply chain.
We’ll continue to monitor the situation closely and provide any further updates here. In the meantime, if you have any specific questions, you can contact us by email at email@example.com.
Conclusion following investigations (22 December 2021)
As our investigations into the Log4j issues are being concluded, we'd like to provide a brief update. As previously stated, Dotdigital's services were not impacted by this issue as the vulnerable component is not used in our code. Our security and engineering teams have continued to analyze the third-party systems and services used around the business and have concluded there has been no risk to the confidentiality, integrity, or availability of customer data, or the systems processing it. If you have any further questions, contact us at firstname.lastname@example.org.