Since the original report of the vulnerability in the Apache log4j logging library on Dec 10th (CVE-2021-44228), there have been additional advisories issued (CVE-2021-44832, CVE-2021-45105, CVE-2021-45046). Split has been actively monitoring the developments, and auditing our systems. Our code and services continue to not be vulnerable. Due to the ongoing nature of the situation, we continue to work with our data sub-processors to take any remedial actions as needed.
If you have any questions, please reach out to us at support@split.io or your customer success manager.
Upon review, we’ve found that our public endpoints are not affected by this vulnerability due to the version of logging in use. We have analyzed our code and services and none of those are vulnerable.
For our SDKs, we do not include a logging library in the package that our customers run. Instead, we use the Simple Logging Facade for Java (SLF4J) that serves as a simple facade or abstraction for various logging frameworks that allow the end-user to plug in their desired logging framework. Therefore our SDKs are not affected, but Split users should ensure that they are leveraging a non-vulnerable logging library with our SDK.
We are in the process of working with our infrastructure partners and taking remedial action, as needed.
Posted Dec 13, 2021 - 12:10 PST
Update
We have determined that our key services are not affected. We continue investigating other parts of our systems and vendors.
Posted Dec 13, 2021 - 10:07 PST
Investigating
Split is currently investigating whether or not the vulnerability (CVE-2021-44228) discovered in Apache Log4j has any impact on our systems. We will update this post shortly.