More than likely, you’ve seen the news about a critical security flaw being surfaced in widely-used development software, known as Log4j. This security vulnerability has become a well-documented event due to how broadly it affects much of the internet. Large organizations such as Apple, Amazon, Microsoft, Twitter, and many others currently leverage the Log4j framework and are working to track attempted attacks and shut down any vulnerabilities until it’s patched.
For LivePlan users, you’ll be glad to hear that we do not make use of Log4j in any of our services. However, if there are any concerns about the security of LivePlan and your business information—we’d like to lay out what we know about the Log4j flaw and how we’re responding.
What is Log4j?
Log4j is a free, open-source Java framework used for application logging. This helps software developers build an activity record that assists with data tracking, troubleshooting, site or software audits, etc. Basically everything involved with web-based application experiences that requires compiling and tracking user data to run effectively.
It’s been downloaded millions of times, is leveraged by organizations large and small, and is maintained by volunteers who work within the nonprofit Apache Software Foundation.
How are hackers using this Log4j vulnerability?
Even if an organization isn’t directly using Log4j in development, the vulnerability may still be present if they’re using a Log4j-based open-source library for any part of their business. Hackers have had over a week to start exploiting this flaw before it was disclosed by Apache.
The main concern is that hackers are able to easily access servers and execute code remotely. This means that they can target specific computers, steal data, and even install malware to hijack internet infrastructure. The biggest potential threat is if hackers gain enough access to deploy ransomware that can lead to a total lockout of an organization’s systems.
Does the Log4j exploit affect LivePlan?
As mentioned above, since LivePlan does not use Log4j in any of our services and connectors in production or onsite, LivePlan is not vulnerable to this exploit. While we do use Java as part of LivePlan none of the Java applications leverage the Log4j framework or any associated open source logging libraries.
How LivePlan protects your business information
While the Log4j vulnerability doesn’t affect LivePlan, it’s worth reiterating how we do protect your data. All customer data is written to multiple disks instantly, backed up daily, and stored across multiple servers in secure locations. Any data that is transmitted when using LivePlan, everything is encrypted using HTTPS.
Additionally, our products operate upon a dedicated network and are patched regularly with the latest security practices that we land on by working closely with security researchers. We submit an annual self-assessment (SAQ A 3.2) for PCI compliance, as well as run regular, automated security scans to ensure that our networks and applications are secure. This is all backed up by our LivePlan team, who are trained in best security practices, including how to identify social engineering, phishing scams, and hackers.
You can check out our full security review documentation for more details regarding how we protect you and your business data.
Currently, officials within the U.S. government are connecting with cybersecurity companies, cloud service providers, and telecommunication companies to track the threat and share information to mitigate it. Additionally, Apache has released updated recommendations, as well as organizations such as Microsoft, AWS, and Oracle producing patches and/or steps to minimize the risk. If you think any system you use for your business has been affected, be sure to look into any recent developer posts for the next steps to secure your information.
While LivePlan is not directly connected to or affected by the Log4j exploit, our security and web development teams are still watching the situation closely. If any new developments arise that impact part of our services, we will be sure to make our users aware and act swiftly to mitigate exploitation. If you have any questions or concerns about this issue, feel free to connect with our customer advocacy team.