On December 10, 2021, SafetyCulture became aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively investigating its impact on our solutions and the third-party service providers we utilize to offer our solutions.
SafetyCulture has taken various steps to keep our customers safe and protected including deploying additional rules to our Web Application Firewall provided by Cloudflare CDN. We are also working with CrowdStrike (who continually scan and monitor our systems endpoints) to confirm they have not observed any unusual behavior in network traffic, on our file systems, or processes. To date, Crowdstrike has confirmed that no such behavior exists.
SafetyCulture has confirmed that there has not been any degradation of our services as a result of this vulnerability, and that there are no versions of the Log4j2 utility within the iAuditor web or mobile applications. We have identified one service (via a third party library we had previously used) that included an affected library. This library was not in use and there was no information that could be vulnerable to a Log4j2 exploit via this service. Mitigation of any future exploitation has also been completed.
We continue to work with our trusted third-party service providers to assess and mitigate any potentially vulnerable systems we utilize.
If you have any further questions, please contact us at email@example.com