Last updated December 20, 2021 at 10:15 a.m. PT
On December 9th, Apache disclosed a Critical Day 0 vulnerability (CVE-2021-44228) that affects its Log4j logging library.
Currently, Amplitude is not aware of any impact within our systems, however, we are continuing our investigations as the industry learns more. Keeping our customers’ data safe is our number one priority, so we’re actively monitoring this issue and taking steps to mitigate appropriately. We have upgraded our Log4j instances with version 2.17, updated affected software per vendor instructions, and reached out to our relevant third-parties to determine their statuses. We are monitoring those who have not yet provided formal updates. There is no current action required of Amplitude customers.
As we continue to gain an understanding of this vulnerability, the Amplitude team will continue to monitor our infrastructure for any potential exploits related to the vulnerability and proactively take steps to detect, mitigate, and remediate any malicious activity. We will keep you informed of any developments by adding onto this blog post.
How to find more information on the Log4j vulnerability
A flaw in the Log4j logging utility of widely used internet software Apache was discovered last week. Many internet-facing and back-end systems leverage this technology. The industry is continuing to learn more about the vulnerability, so we recommend reading the NIST website for developing information.
We’re here to help. If you have additional questions, please reach out to support.amplitude.com.