Update #3 – Jan. 5, 2022
As I wrote last month (see below), Domo has been closely monitoring the developments around critical vulnerabilities associated with the use of Apache Log4j.
As of today, Domo has updated the critical applications to use Log4j version 2.17.1 as per the most recent vulnerability described here and advisory described here.
At the time of this posting, we have not discovered any instances of exploitation of this vulnerability within the Domo platform environment.
If we become aware of any unauthorized activity associated with this vulnerability, we will notify impacted customers as soon as possible.
Update #2 – Dec. 21, 2021
Domo is aware of an additional security advisory indicating that, under certain configurations, Apache Log4j versions through 2.16.0 are vulnerable to exploitation by malicious cyberthreat actors looking to stage a denial-of-service (DoS) attack.
Domo has evaluated the potential impact of this advisory to our environment and has implemented mitigation and remediation measures where applicable.
If we become aware of any unauthorized activity associated with this vulnerability impacting our customers, then, as noted before (below), we will notify those customers as soon as possible.
Update #1 – Dec. 17, 2021
As I wrote earlier this week (below), Domo has been closely monitoring the developments around critical vulnerabilities associated with the use of Apache Log4J. And in the last 48 hours, we have discovered that a new critical vulnerability—CVE-2021-45046, which could lead to a remote code execution (RCE) attack—has been identified and described by Apache Software Foundation.
To mitigate this new vulnerability, we have upgraded to Log4J version 2.16. At the time of this posting, we have not discovered any instances of exploitation of this vulnerability within the Domo platform environment. If we become aware of any unauthorized activity associated with this vulnerability, we will notify impacted customers as soon as possible.
Original post – Dec. 15, 2021
Ensuring the security and confidentiality of customer data is Domo’s No. 1 priority. Therefore, in light of the recently-discovered, zero-day vulnerability in the Java logging library Log4J, I would like to present a quick overview of Domo’s response to this new cybersecurity threat.
What happened
On Dec. 9, 2021, Apache publicly disclosed a remote code execution (RCE) vulnerability (CVE-2021-44228) in its popular Java logging library, Log4j.
This vulnerability was nicknamed Log4Shell. Upon identification of the security advisory, Domo began its security incident response process to evaluate the potential impact to Domo and promptly took steps to remediate any exposure if identified.
Domo’s response
Our investigation identified usage of the affected Log4j versions in some applications and services within the Domo environment. Upon identification, we upgraded our deployment of Log4J to the recommended version.
We are also communicating with our key vendors and partners who are affected by this vulnerability to understand and evaluate any exposure and risk to our platform and customers.
While that process is ongoing, the Domo Security Team has implemented preventive and detective measures to identify, protect, and detect against exploitation of our environment.
At the time of this posting, we have not discovered any instances of exploitation of this vulnerability within our environment. If we become aware of any unauthorized activity associated with this vulnerability, we will notify impacted customers as soon as possible.
Next steps
The Domo Security Team will post updates here if there are any relevant changes. In the meantime, if you have any questions, please reach out to your customer support partner.