This is notification of our response to the zero-day vulnerability in Apache’s Log4j library (CVE-2021-44228). Published on December 10th, the findings quickly made headlines as the most high-profile and expansive security incident in recent memory. Early in the morning of December 10th, our engineering and security teams launched an effort to identify any application leveraging the affected library. Thanks to the collaboration of developers across four different countries, we released patches for all impacted client facing services by the end of that day.
In our inventory of impacted services, we found less than three percent of our code repositories contained a vulnerable version of this library. Fewer than a dozen of these services actually received traffic from our client facing applications, which facilitated our ability to deploy these changes without any downtime.
As a security-first organization, we have built a culture that looks at risk and compliance throughout every facet of our development cycle. This mindset played a key role on the morning of December 10th, as the severity of this vulnerability was instantly recognized as top priority. As the industry continues to feel the ripple effects of this incident, I am more confident than ever that our world class R&D team will be able to meet any challenges that come our way, always keeping security top of mind.
Nir Keren, CTO