ThoughtTrace Response to Apache Log4j Remote Code Execution - Statement from Joel Hron, Chief Technology Officer, ThoughtTrace, Inc.
We are writing to inform you that a high severity remote code execution (RCE) vulnerability (CVE-2021-44228) was identified on December 9, 2021 impacting multiple versions of the 3rd party Apache library Log4j. Log4j is a standard logging library used by many Java applications worldwide.
- In ThoughtTrace, this vulnerability has a very low likelihood of exploitation and can only be exercised by an authenticated and named user with the necessary permissions to perform this type of action. No attack vectors are accessible from outside the ThoughtTrace platform.
- This vulnerability only exists in a single backend service in the ThoughtTrace platform. We have also run security scans on our application and confirmed that this service is not accessible via the public internet.
- We have manually reviewed our code and removed any direct dependencies on the log4j package. We have also run static code analysis of our application code to confirm this CVE does not exist elsewhere in any secondary dependencies.
- We are continuing to evaluate further potential dependencies and monitoring activity to ensure that ThoughtTrace is secure against this particular CVE.
Your trust and the security of your information are of paramount concern for us, always. Please reach out to your Customer Success Manager or submit a ticket for any further questions or concerns.
Chief Technology Officer