On December 10th, 2021, CircleCI became aware of a vulnerability in the common Java library, log4j. After a thorough review of our codebase, software, and infrastructure, we do not have reason to believe that this vulnerability has been exploited.
We have identified 23 repositories and 3 services which either included or referenced the library, and have confirmed that the security vectors which are exposed by this vulnerability are not expressible in our environment. This includes our usage of secondary and transitive software dependencies and third-party services.
We have reviewed our supply chain and critical data sub-processors, and have not identified ways in which this vulnerability could be exploited in the CircleCI environment, in our software, or to obtain access to our customer or enterprise data.
We are aggressively patching all known instances of this vulnerability in our repositories as well as updating our third-party software and services as available and appropriate. While we are confident that this is not a vulnerability which represents risk in and of itself, we remain committed to a strong and forward-looking security posture and approach.
We will also be updating references to log4j in our documentation and code comments to avoid confusion.
12/15/2021 Update: An additional vulnerability was announced on December 14th, and we have continued monitoring the situation. Similar to the last one that was found, we have not identified ways in which this vulnerability could be exploited in the CircleCI environment, in our software, or to obtain access to our customer or enterprise data.
References: