Nylas’ Response to the Log4j Vulnerability
At Nylas, our information security team took qtion to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.
Austin Gregory | December 17, 2021
Last week, a critical vulnerability in the very popular Log4j Java library was publicly disclosed. The vulnerability, tracked as CVE-2021-44228, allows attackers to execute arbitrary code on a remote server. As the news broke, security teams across the globe went into high gear in efforts to identify their exposure and remediate risk. Organizations small and large have been impacted, and vendors are working tirelessly to ensure that their environments are secure and customers are protected.
How did Nylas respond?
At Nylas, our customers are always our number one priority and we take great care to protect their data. Our security team quickly began investigating and engaging with other teams to identify potential exposure to CVE-2021-44228. Our investigation consisted of the following steps: Reviewing all of our codebases for dependencies on the JVM, comprehensively scanning all production environments for signs of vulnerability or malicious activity, and reaching out to our critical vendors regarding indirect exposure.
Want a PDF of this article?
Share it with a friend or save it for later reading.
We'll send the PDF straight to your inbox!
Review of our codebases
All Nylas services are coded in Golang and Python, which greatly helps to limit our exposure. Our Java SDK is the only codebase written in Java that we maintain. During our investigation, we found that the codebase contained references to log4j-api:2.12.1, log4j-core:2.12.1, and log4j-slf4j-impl:2.12.1, which are vulnerable versions of the library. Fortunately, we confirmed that these references are only used for unit tests and examples, and customers using the SDK aren’t affected. Even so, a patch was released the morning of December 13th upgrading to Log4j version 2.15.0. None of our other codebases were exposed.
Scan of our environments
We continuously and automatically monitor all of our production environments for security risks using Lacework. One of Lacework’s features is to conduct ongoing scans for exposure to published vulnerabilities. Fortunately, Lacework’s team promptly added support for CVE-2021-44228, which enabled Nylas to comprehensively scan all of our hosts for the vulnerability. The search yielded no findings. Another important feature of Lacework is its ability to monitor event logs and notify our security team of any unusual activity (e.g. network activity with unknown servers). Out of an abundance of caution, we thoroughly reviewed the event history for any signs of a compromise and found nothing suspicious.
Third party inquiries
While our investigation confirmed Nylas isn’t directly vulnerable, we do rely on products and services provided by third parties that may make us indirectly vulnerable. Because of this, we enumerated our critical vendors and inquired regarding their exposure to CVE-2021-44228 and whether any Nylas data is at risk. This process is still on-going, and we’re committed to keeping customers informed as information becomes available. So far we haven’t received any indication of unauthorized access. For complete transparency, we’ll be keeping the following list up-to-date as we receive new information.
|AWS||On-going||We’ve ensured all known affected components have been patched, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our AWS environments as more information becomes available.|
|GCP||On-going||We’ve followed Google’s recommendations to safeguard all known affected components, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our GCP environments as more information becomes available.|
|Zendesk||Safe||Zendesk’s team hasn’t found any evidence Nylas has been impacted.|
|Honeycomb.io||Safe||Honeycomb’s team confirmed they’re not vulnerable.|
|New Relic||Safe||We don’t use the affected components.|
|Lacework||Safe||Lacework’s team confirmed they’re not vulnerable.|
|Harness.io||On-going||We’re awaiting a response from Harness’ team regarding any known impact to Nylas. In the meantime, we’re continuing to monitor our environments and haven’t found any evidence of unauthorized access.|
|CloudFlare||Safe||CloudFlare’s team hasn’t found any evidence Nylas has been impacted.|
|Kong||Safe||Kong’s team confirmed they’re not vulnerable.|
|Teleport||Safe||Teleport’s team confirmed they’re not vulnerable.|
|Aiven||Safe||We’ve confirmed all affected components have been patched, and we haven’t found any evidence of unauthorized access.|
Our promise to customers
Our customers are always our number one priority and we will continue to put you first as we monitor this widespread security incident. Many of you have questions and we strive to maintain transparency and open communication as we roll out information both individually and collectively.
Maintaining a secure environment is top-of-mind as you scale, which is why security is built into the core of our products. By setting a solid foundation to safeguard our customers, we are dedicated to protecting your data while enhancing team productivity. To read more about how Nylas helps organizations build integrations without risk, click here.