Q: Does Totango utilize Apache Log4j?
A: Yes, however as we use non-vulnerable version, our application was/is not vulnerable. We also made sure to check all of our 3rd party dependency libraries to make sure they are not using it.
Q: Has Totango experienced any security incidents as a result of the Log4j vulnerability?
A: Yes, we identified a few attacks, all of them were unsuccessful (as the version we use is and was non-vulnerable)
Q: Was there any impact to my data or services as a result of the Log4j vulnerability?
A: Not at all
Q: Has a forensic review been completed?
A: None was needed as no data was exposed.
Q: What remediation has Totango taken on the vulnerability to the application?
A: We upgraded a few 3rd party client libraries and patched some of our 3rd party deployment (per the 3rd party provider guidance) to make sure we are fully resilient to this vulnerability. This was completed on December 13th.
Q: Have any of your third party vendors been impacted by the Log4j vulnerability?
A: No. We checked with all of our 3rd party vendors and made sure no relevant service that Totango uses was impacted by this vulnerability.