Log4j is Not Used in AskCody
The internet is buzzing with stories about insecurities and breaches related to Apache Log4j. But you can rest assured. The security vulnerability found in the software Log4j does not impact AskCody, since we have no Java applications. You can read here: Why AskCody is not affected by the breach.
What is Log4j?
Log4j is a software tool used in hundreds of millions of devices worldwide. It is a tool used to log application data in Java applications. Time magazine made an article about Log4j. In short, they echoed the message from security experts calling it "One of the worst computer vulnerabilities ever seen".
AskCody & Log4j
AskCody is not affected by Log4j because we have no Java applications. Furthermore, the Microsoft Azure we use is not affected by this either according to Microsoft themselves. In short, you can feel safe knowing that this vulnerability does not apply to us.
We have requested detailed descriptions of any vulnerability risks from sub-processors. Below you will see their answers, and how it relates to AskCody.
We use Twilio Programmable Messaging. Twilio has released this article. Their latest update states that Twilio is aware of an additional security advisory indicating that under certain configurations, Apache Log4j versions through 2.17.0 are vulnerable to exploitation through a remote code execution (RCE) attack. Twilio security has conducted an assessment of the vulnerability, also known as CVE-2021-44832, and determined that due to the conditions that must exist for this vulnerability to be exploitable and current protective measures in place to mitigate against exploitation, remediation efforts will follow Twilio's standard vulnerability management process.
At this time, no action is required by Twilio customers.
We use Postmark's Email Service Provider for sending email notifications to AskCody users. You can see their response to the vulnerability here. Bottom line - Postmark's services are not affected by the vulnerability.
We use Appcues for Onboarding flows, surveys, and in-app feature announcements.
We have been in contact with Appcues, who have given the following response:
Appcues is not affected by the Log4j vulnerability, as we do not have any applications written in Java, or using the Log4j library. Additionally, we have conducted scans internally, using our security monitoring tools, for 3rd party software in our environment that may be affected, and we have not found any results.
AskCody will continue to monitor the situation, and keep updated on our sub-processors to make sure that we are aware of any vulnerabilities .