The Appen team has taken quick action in relation to resolving the vulnerability advisory related to Log4shell (CVE-2021-44228) which may affect organizations that use vulnerable versions of the Log4j package. The vulnerability is a remote code execution issue in the Apache Log4j logging services application which may affect Java applications.
During our security team’s review, malicious or suspicious activity has not been found. It has been identified as a critical vulnerability and Appen will continue to respond with the highest priority. Based on the investigation conducted by our security team, we have scanned for and patched known vulnerabilities.
Application Platforms
We have completed our assessment and mitigation across our platforms. The following provides the current status against our platforms.
- Appen Connect
- The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- Appen Collect
- Not affected
- Appen Data Annotation Platform
- The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
- Ampersand
- Not affected
- Appen Mobile
- Not affected
- GAP
- The vulnerability is mitigated by disabling the service.
- Secure Workspace
- Not affected
- A9
- The vulnerability is mitigated through appropriate security controls. No further actions are necessary.
Internal Infrastructure
We have identified the 27 systems in our infrastructure that had the vulnerable version of log4j package.
- Unified controller – Manages wireless access points
- 2 servers – Hypervisor, and MS Endpoint Configuration Manager server
- 23 endpoint – End user laptops
We have uninstalled them from all these devices.
Appen public domains
Appen global site and its sub domains were not affected with this Log4j vulnerability.
Ongoing monitoring
Appen is running continuous scans on all our systems and applications to monitor this vulnerability.
Supply Chain monitoring
Additionally, we have been proactively reaching out to our third-party service providers (suppliers) to check how are they impacted by this vulnerability and the actions taken by them.
Please reach out to security@appen.com for any questions.
FAQ
Q. Does Appen use or rely on products that are affected by Log4Shell / CVE-2021-44228?
Yes
Q. Do products or services that Appen provide to its clients require the use of or access to products affected by Log4Shell?
Yes
Q. Will this impact any product or services that Appen provides to its clients?
No
Q. To the extent applicable, will this impact Clients ability to access Appen environment or products?
No
Q. Is there any evidence that the Log4Shell vulnerability has been exploited and Appen’s or its customers’ data has been accessed or exfiltrated?
No
Q. Has Appen experienced or detected any impact to or suspicious or malicious activity in connection with products affected by Log4Shell?
No
Q. What remediation actions has Appen taken or does Appen plan to take to address Log4Shell vulnerabilities?
All the vulnerable systems have been remediated by either upgrading, uninstalling the affected Log4J version or changing the runtime properties in our environment. No malicious or suspicious activity has been found.
Q. When has Appen become aware of the Log4Shell vulnerability?
December 10, 2021
Q. How has Appen communicated the discovery and remediation of the Log4Shell vulnerability?
Through email and web post