Last week, a critical vulnerability in the very popular Log4j Java library was publicly disclosed. The vulnerability, tracked as CVE-2021-44228, allows attackers to execute arbitrary code on a remote server. As the news broke, security teams across the globe went into high gear in efforts to identify their exposure and remediate risk. Organizations small and large have been impacted, and vendors are working tirelessly to ensure that their environments are secure and customers are protected.
At Nylas, our customers are always our number one priority and we take great care to protect their data. Our security team quickly began investigating and engaging with other teams to identify potential exposure to CVE-2021-44228. Our investigation consisted of the following steps: Reviewing all of our codebases for dependencies on the JVM, comprehensively scanning all production environments for signs of vulnerability or malicious activity, and reaching out to our critical vendors regarding indirect exposure.
All Nylas services are coded in Golang and Python, which greatly helps to limit our exposure. Our Java SDK is the only codebase written in Java that we maintain. During our investigation, we found that the codebase contained references to log4j-api:2.12.1, log4j-core:2.12.1, and log4j-slf4j-impl:2.12.1, which are vulnerable versions of the library. Fortunately, we confirmed that these references are only used for unit tests and examples, and customers using the SDK aren’t affected. Even so, a patch was released the morning of December 13th upgrading to Log4j version 2.15.0. None of our other codebases were exposed.
We continuously and automatically monitor all of our production environments for security risks using Lacework. One of Lacework’s features is to conduct ongoing scans for exposure to published vulnerabilities. Fortunately, Lacework’s team promptly added support for CVE-2021-44228, which enabled Nylas to comprehensively scan all of our hosts for the vulnerability. The search yielded no findings. Another important feature of Lacework is its ability to monitor event logs and notify our security team of any unusual activity (e.g. network activity with unknown servers). Out of an abundance of caution, we thoroughly reviewed the event history for any signs of a compromise and found nothing suspicious.
While our investigation confirmed Nylas isn’t directly vulnerable, we do rely on products and services provided by third parties that may make us indirectly vulnerable. Because of this, we enumerated our critical vendors and inquired regarding their exposure to CVE-2021-44228 and whether any Nylas data is at risk. This process is still on-going, and we’re committed to keeping customers informed as information becomes available. So far we haven’t received any indication of unauthorized access. For complete transparency, we’ll be keeping the following list up-to-date as we receive new information.
| Vendor | Result | Notes |
| AWS | On-going | We’ve ensured all known affected components have been patched, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our AWS environments as more information becomes available. |
| GCP | On-going | We’ve followed Google’s recommendations to safeguard all known affected components, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our GCP environments as more information becomes available. |
| Zendesk | Safe | Zendesk’s team hasn’t found any evidence Nylas has been impacted. |
| Honeycomb.io | Safe | Honeycomb’s team confirmed they’re not vulnerable. |
| New Relic | Safe | We don’t use the affected components. |
| Lacework | Safe | Lacework’s team confirmed they’re not vulnerable. |
| Harness.io | On-going | We’re awaiting a response from Harness’ team regarding any known impact to Nylas. In the meantime, we’re continuing to monitor our environments and haven’t found any evidence of unauthorized access. |
| CloudFlare | Safe | CloudFlare’s team hasn’t found any evidence Nylas has been impacted. |
| Kong | Safe | Kong’s team confirmed they’re not vulnerable. |
| Teleport | Safe | Teleport’s team confirmed they’re not vulnerable. |
| Aiven | Safe | We’ve confirmed all affected components have been patched, and we haven’t found any evidence of unauthorized access. |
Our customers are always our number one priority and we will continue to put you first as we monitor this widespread security incident. Many of you have questions and we strive to maintain transparency and open communication as we roll out information both individually and collectively.
Maintaining a secure environment is top-of-mind as you scale, which is why security is built into the core of our products. By setting a solid foundation to safeguard our customers, we are dedicated to protecting your data while enhancing team productivity. To read more about how Nylas helps organizations build integrations without risk, click here.
Building security by design is crucial, especially for startups and small businesses, where resources are…
In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…
How can you leverage communications data to deliver engaging experiences to your customers? Meet with our team at Collision to learn how you can turn communication into inspiration.
Austin manages the Information Security team at Nylas. He's a security geek with more than a decade of experience building and securing software. In his free time Austin enjoys trying different foods and is always down for a new adventure.
Email API
Calendar API
Scheduler
Contacts API
ExtractAI
Salesforce email integration
Google email & calendar integration
Outlook email & calendar integration
IMAP integration
Calendar management
Embedded contextual email
Scheduling automation
Automated outreach
Intelligent data extraction
Ecommerce
Telehealth
Real estate
Financial technology
Educational technology
Expense management
Customer relationship management
Applicant tracking system
Communications platform
Marketplaces
Document management
Docs
SDKs
Tutorials
API status
Changelog
Support
Blog
Events
Guides
Inspiration gallery
Partners
Build vs. buy
Customer stories
Security & Compliance
Why Nylas
Newsroom