Optimizely response to Zero-Day Log4j vulnerability

Optimizely and its internal security team became aware of a potential security incident on Friday December 10th at 4pm ET, which has had a global impact across many software services and providers. A zero-day vulnerability to a widely used Apache® component, log4j was announced. This vulnerability is limited to certain versions of the library and has already been resolved in the currently released version, but nonetheless could in that brief time period be exploited by bad actor(s).

UPDATE December 20th, 2021, 5pm ET

Optimizely has mitigated the log4j vulnerability CVE-2021-44228 across all services.

We continue to patch all software to include the additional fixes for the low-risk issues CVE-2021-45046 and CVE-2021-45105.

No evidence of compromise or exploitation has been found and our team continues to monitor for any malicious activity or further developments.

We are continuing to evaluate the status of our critical suppliers as information becomes available.

Instructions for patching legacy on-premises systems and SDKs have been sent to affected customers.

 

If exploited, this vulnerability could be used to gain control, steal data or disrupt operations. Optimizely, the Reliability Engineering, Security Engineering, Support and Product teams have been diligently assessing, evaluating and researching this potential incident, and there have been no indications of any successful exploitation in Optimizely's systems to date.

Since Friday afternoon and throughout the weekend, Optimizely teams have been assessing, evaluating and researching the impact, mitigation and remediation to make sure we continue to protect the confidentiality, integrity, and availability of customer data, while also continuing to harden our infrastructure and suppliers.  Most patches were applied within 24 hours, and continued throughout the weekend, and will continue as needed.  It should be noted that while we are aware of where the limited use of the log4j components existed in our portfolio of products, we are not content with just applying patches, but ensure that a thorough investigation is conducted in each instance, as well as take additional actions so that future attempts can be prevented.

Our company-wide effort, across many teams globally are working around the clock to ensure if any exposure presents itself, we address and minimize as quickly as possible.  This includes not just the aforementioned patching and investigating, but also (and not limited it), additional blocking rules, ongoing scanning, continuous dialog with vendors, engaging third-parties and other best practices around remediation and future prevention.

Although most mitigation efforts have been completed throughout the weekend, some remaining efforts will continue into Tuesday. We have and will continue to use maximum effort to minimized exposure of these systems and are monitoring closely.

While we are confident that we have evaluated and mitigated the risks related to this vulnerability, we are continuing to monitor any evidence of attempts at exploitation, the current exposure of our systems and mitigation status of our critical vendors.

If you have specific concerns, please open a Support ticket via support@optimizely.com or one of the other methods found on Service & support - Optimizely, and you can use “log4j” in the subject line.