Log4Shell Vulnerability
ClearView is aware of the recently identified zero-day exploit vulnerability in the Apache “Log4j2” library CVE-2021-44228, referred to as Log4Shell, which can allow execution of arbitrary code on an affected server. In response to that, our security and engineering teams have audited our infrastructure and vendors to determine how this vulnerability impacts the ClearView solution.
The core ClearView solution and integration infrastructure do not use the impacted library or rely on server technologies that use the Log4j2 framework, meaning that the core ClearView application is not affected by this exploit.
We have also worked with our vendors to ensure that any impacted services were patched quickly. A core cloud database provider identified and quickly patched a vulnerable web search utility and upon further audits has seen no indication that the vulnerability had been exploited. Impacted AWS services that ClearView relies on were also patched in a timely manner.
We take threats of this nature seriously and continue to monitor the security landscape to ensure customer data remains secure. If you have any questions please reach out to our partners or directly to us at ITServices@clearviewlive.com.
December 23rd 2021 Update
Since the initial vulnerabilities were discovered in the Log4j library earlier this month, additional variants have been identified, including CVE-2021-45105 and CVE-2021-45046. The ClearView team is continuing to monitor potential impact from these vulnerabilities to ensure the security of our customers’ information. There is no impact to the core ClearView systems from these recent security announcements, as Java and the Log4j library are not used in any ClearView development. We are continuing to monitor the status of each of our vendors and have confirmed with each vendor that they are not impacted or have fully patched affected systems, both from the initial vulnerability and the recently discovered variants.
For additional information, please see links to key vendor responses below.