SafetyCulture has completed working with trusted third-party service providers and no outstanding remediations for the Log4j2 utility across our information technology infrastructure.
Posted Jan 19, 2022 - 05:24 UTC
Update
SafetyCulture is continuing to work with our trusted third-party service providers and monitoring the impact of the Log4j2 utility across our information technology infrastructure.
Additional Web Application Firewall rules have been added in partnership with Cloudflare to further protect the continuity of the services we provide to our entire customer base.
Posted Dec 22, 2021 - 03:58 UTC
Monitoring
On December 10, 2021, SafetyCulture became aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively investigating its impact on our solutions and the third-party service providers we utilize to offer our solutions.
SafetyCulture has taken various steps to keep our customers safe and protected including deploying additional rules to our Web Application Firewall provided by Cloudflare CDN. We are also working with CrowdStrike (who continually scan and monitor our systems endpoints) to confirm they have not observed any unusual behavior in network traffic, on our file systems, or processes. To date, Crowdstrike has confirmed that no such behavior exists.
SafetyCulture has confirmed that there has not been any degradation of our services as a result of this vulnerability, and that there are no versions of the Log4j2 utility within the iAuditor web or mobile applications. We have identified one service (via a third party library we had previously used) that included an affected library. This library was not in use and there was no information that could be vulnerable to a Log4j2 exploit via this service. Mitigation of any future exploitation has also been completed.
We continue to work with our trusted third-party service providers to assess and mitigate any potentially vulnerable systems we utilize.