Pipedream's response to the Log4j vulnerabilities

I wrote up our response to the Log4j vulnerabilities, and I wanted to repost here. Please let me know if you have any questions. I hope y’all have a great holidays.

Over the last two weeks, two vulnerabilities in Apache Log4j (CVE-2021-45046, CVE-2021-44228) — also known as “Log4Shell” — were disclosed publicly. These vulnerabilities allow attackers to execute code remotely on affected systems. Since Log4j is a popular library, this incident had wide-reaching consequences.

Pipedream was not affected by these vulnerabilities . While we use Java in some internal systems, we do not, and never have, used Log4j.

When the vulnerabilities were announced, we reviewed each system carefully to confirm no third party packages or other ancillary software packaged Log4j as a dependency. The Datadog Agent, which we use to collect logs and metrics, was the only such package identified. Datadog confirmed their agent was not vulnerable. Still, we proactively upgraded it out of an abundance of caution.

We have heard from all of our subprocessors. All of them were unaffected or addressed the vulnerability quickly, and we have no evidence to suggest they were exploited.

In the days following the original disclosure, we also started blocking known Log4Shell exploit strings and added additional monitoring to protect against attackers using Pipedream to exploit these vulnerabilities.

If you observe Pipedream endpoints being used to exploit vulnerable systems, or see any suspect traffic to Pipedream domains, please submit an abuse report or reach out to our Security team at security@pipedream.com.

We know many of you spent time addressing the impact of Log4Shell on your own systems. With this and the multiple AWS outages this December, it’s been a long month for the Internet. We hope you all get some much-needed rest as the holidays approach, and we look forward to working with you more in 2022.