Update on the Zero-day exploit of Log4j Java library
Incident Report for Totango
Postmortem

FAQ

Q: Does Totango utilize Apache Log4j?

A: Yes, however as we use non-vulnerable version, our application was/is not vulnerable. We also made sure to check all of our 3rd party dependency libraries to make sure they are not using it.

Q: Has Totango experienced any security incidents as a result of the Log4j vulnerability?

A: Yes, we identified a few attacks, all of them were unsuccessful (as the version we use is and was non-vulnerable)

Q: Was there any impact to my data or services as a result of the Log4j vulnerability?

A: Not at all

Q: Has a forensic review been completed?

A: None was needed as no data was exposed.

Q: What remediation has Totango taken on the vulnerability to the application?

A: We upgraded a few 3rd party client libraries and patched some of our 3rd party deployment (per the 3rd party provider guidance) to make sure we are fully resilient to this vulnerability. This was completed on December 13th.

Q: Have any of your third party vendors been impacted by the Log4j vulnerability?

A: No. We checked with all of our 3rd party vendors and made sure no relevant service that Totango uses was impacted by this vulnerability.

Posted Dec 15, 2021 - 13:44 UTC

Resolved
Totango's system is using a non-vulnerable version of Log4j in our application!

We patched all our third-party deployments to be fully resilient.
We also reached to our 3rd party providers to make sure no vulnerability was exploited on their services.
Posted Dec 13, 2021 - 08:02 UTC
Update
Totango's system is using a non-vulnerable version of Log4j in our application!
We immediately made sure that no vulnerability was exploited.

In order to be on the safe side, we are patching all our third-party deployments to be fully resilient. This effort should be concluded by tomorrow end of day.
We also reached to our 3rd party providers to make sure no vulnerability was exploited on their services.
We are continuing to investigate and monitor all of our system components including 3rd parties.
Posted Dec 12, 2021 - 17:42 UTC
Monitoring
Totango's system is using a non-vulnerable version of Log4j!

We are continuing to investigate and monitor all of our system components including 3rd parties.
Posted Dec 12, 2021 - 10:11 UTC
This incident affected: Totango Web Application.