Solved

Log4j Vulnerability

  • 14 December 2021
  • 1 reply
  • 342 views

Recently Apache Log4j announced a Security Vulnerability CVE-2021-45046 and we have been using mixpanel in our applications. we are reviewing our third party libraries who might get affected with this vulnerability. Can we know whether this has impacted any of the libraries or logging using log4j at mixpanel.

 

Thanks,

icon

Best answer by mattvanwinkle 15 December 2021, 17:50

View original

1 reply

Userlevel 2
Badge +1

Hi there,

 

Thanks for checking in on this.  

 

Mixpanel’s Security Team advises that on December 9th, 2021, Apache disclosed that the Log4j library contained a critical vulnerability that allowed unauthenticated remote code execution, a serious issue that impacts a large number of applications. Mixpanel’s Security Team immediately began investigating its environment to identify any affected systems.  After an investigation was completed, it was determined that:
 

  • The Log4j library is not implemented in any of Mixpanel’s application services or SDKs;
  • A single third-party application utilized by Mixpanel for internal observability was identified as having a vulnerable version of the Log4j dependency;
  • There is no evidence of any attempt to exploit the vulnerable application within Mixpanel’s environment;
  • The vulnerable application is non-critical and has no direct impact on Mixpanel’s application services and is not associated or connected with Mixpanel’s customer data or customer content;
  • Following the guidance of the Apache Foundation and the third-party application vendor, Mixpanel has introduced compensating controls that mitigate the risks, if any, associated with the application’s dependency on the Log4j library.


Thank you,
The Mixpanel Security Team

Reply