Truepic’s Software: No Exposure to Log4j Vulnerability, Monitoring Situation Closely

Jason Slack, Director, Product Engineering & Liron Golan, Director, Information Security

On Friday, December 10, 2021 a new security vulnerability (CVE-2021–44228) was published by the National Institute of Standards and Technology (NIST) for the Apache Log4j software utility, a commonly used open source logging framework used to record the activity of applications. This vulnerability, if exploited, could allow attackers the ability to import malware that could compromise machines.

Truepic assembled a cross-functional team to assess any potential exposure to this vulnerability and plan for any necessary remediation steps to protect Truepic systems. Our assessment determined that Truepic has no exposure to Log4j vulnerability CVE-2021–44228 within our own software that would impact the safe use of Truepic products as we do not directly leverage Log4J.

Truepic is actively communicating with all vendors and monitoring for any disclosed impacts within the software systems. Should there be any updates, we will immediately deploy any patches or recommended remediations once they have been released or communicated.

As this situation continues to evolve, we will notify our clients immediately if any concerns arise, as the extent to which Log4j is integrated into the world’s software systems is still being researched and discovered in real-time, making response a dynamic activity for all security programs.