Log4j Worldwide Vulnerability | XM Community
Skip to main content

So, have we received an official response from Qualtrics on the Log4j worldwide vulnerability?

I'm wondering the same.


Yes, we would also like to know this.


What I received from my relationship manager:
Date: December 10, 2021 
Title: Status of Log4Shell Vulnerability (CVE-2021-44228) 
Overview 
The Qualtrics Security Operations Center is aware of a vulnerability named Log4Shell (CVE-2021-4428) which may affect organizations using vulnerable versions of the Log4j package. The vulnerability is a critical flaw in open-source code widely used in java applications across industry in cloud services and enterprise software. 
Qualtrics Response 
Qualtrics is committed to maintaining a secure environment for customers. On December 10, 2021, we became aware of a vulnerability called “Log4Shell” which affects java applications. 
We performed a comprehensive review of the XM Platform to assess the risk of the vulnerability and initiated our remediation process given the severity of the vulnerability. 
The Qualtrics Security Operations Center is monitoring for scanning and has deployed the recommended mitigations while we continue our remediation process.



The response above seems non-committal. Are they impacted and if yes, are they remediating with a target date of xx/xx/xx?


I am also looking for a public update from Qualtrics on this.


I am also hoping for an answer to this.


The latest from my rep:
Date: December 16, 2021 
Title: Current Status of the Log4Shell Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) Overview 
The Qualtrics Security Operations Center is aware of a vulnerability named Log4Shell (CVE 2021-4428), which may affect organizations using vulnerable versions of the Log4j package.  The vulnerability is a critical flaw in open-source code widely used in java applications across  industry in cloud services and enterprise software.  
Qualtrics Response 
On December 10, 2021, we became aware of a vulnerability called “Log4Shell” which affects  java applications. We performed a comprehensive review of the Qualtrics XM Platform to  assess the risk of the vulnerability and initiated our remediation process. The Qualtrics Security  Operations Center operates 24/7/365 and at this point has not observed any unauthorized  access to customer data as a result of this vulnerability.  
Beginning, on Friday, December 10th 2021, we conducted the following remediation activities,  which have now been completed:  
● Blocking of IP addresses associated with scanning for the Log4j vulnerability  ● Web Application Firewall (WAF) rules in deny mode targeting the specific vulnerability ● Intrusion Prevention System (IPS) rules with updated vulnerability fingerprint definitions ● Updating the Log4j dependency to version 2.15.0 
On December 14 2021, Qualtrics became aware of another vulnerability (CVE-2021-45046) in  the Log4j library. Following a review of configuration files and source code of the Qualtrics XM  Platform, we have determined that our specific usage is not vulnerable. The mitigations that we  have applied in response to CVE-2021-44228 also help protect against this new lower severity  vulnerability. Out of an abundance of caution we are actively working on an upgrade to log4j  v2.16.0 with the goal of completing this before the end of the year. We are working with our  software vendors to get updated releases that we will deploy internally once available. We know  that security is important to you and we appreciate your business and trust in us.



Latest:
6SAUjocw602fLytUmQidHWsZ1XUsEdfsS2yE4uJOlqLh-Ju5nSekYApghQSdsKd9QQtIRAZWCLZLjkEU2DCjeEWz4snmYa8qZymALivvv_Z_CtmL8dZ8OUrwNKCnZrI_ZH3thpiC
Date: December 20, 2021 
Title: Current Status of the Log4j Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) Overview 
The Qualtrics Security Operations Center is aware of a vulnerability named Log4Shell (CVE-2021-4428), which may affect organizations using vulnerable versions of the Log4j package. The vulnerability is a critical flaw in open-source code widely used in java applications across industry in cloud services and enterprise software. 
Qualtrics Response 
On Friday, 10th December 2021, we became aware of a vulnerability called “Log4Shell” which affects java applications. We performed a comprehensive review of the Qualtrics XM Platform to assess the risk of the vulnerability and initiated our remediation process. The Qualtrics Security 
Operations Center operates 24/7/365 and at this point has not observed any unauthorized access to customer data as a result of this vulnerability. 
Between Friday 10th and Wednesday 15th December 2021, we completed the following remediation activities: 
● Blocking of IP addresses associated with scanning for the Log4j vulnerability ● Web Application Firewall (WAF) rules in deny mode targeting the specific vulnerability ● Intrusion Prevention System (IPS) rules with updated vulnerability fingerprint definitions ● Updating the Log4j dependency to version 2.15.0 
On Tuesday, 14th December 2021, Qualtrics became aware of another vulnerability (CVE-2021-45046) in the Log4j library. Following a review of configuration files and source code of the Qualtrics XM Platform, we determined that our software was not vulnerable. Out of an abundance of caution, we initiated an upgrade to Log4j v2.16.0 for the Qualtrics XM Platform source code and completed the deployment to data centers on Sunday 19th December 2021. 
On Saturday, 18th December 2021, Qualtrics learned of an additional vulnerability (CVE-2021-45105) in the Log4j library. We reviewed the configuration files and source code of the Qualtrics XM Platform and determined that our software is not vulnerable. Qualtrics plans to upgrade to 2.17.0 following our standard vulnerability management response process. This is scheduled to complete by 31st January 2022. We know that security is important to you and we appreciate your business and trust in us.



mklubeck Thanks for sharing this.


Leave a Reply