Log4j Vulnerability Response

Nylas’ Response to the Log4j Vulnerability

4 min read

Last week, a critical vulnerability in the very popular Log4j Java library was publicly disclosed. The vulnerability, tracked as CVE-2021-44228, allows attackers to execute arbitrary code on a remote server. As the news broke, security teams across the globe went into high gear in efforts to identify their exposure and remediate risk. Organizations small and large have been impacted, and vendors are working tirelessly to ensure that their environments are secure and customers are protected.

How did Nylas respond?

At Nylas, our customers are always our number one priority and we take great care to protect their data. Our security team quickly began investigating and engaging with other teams to identify potential exposure to CVE-2021-44228. Our investigation consisted of the following steps: Reviewing all of our codebases for dependencies on the JVM, comprehensively scanning all production environments for signs of vulnerability or malicious activity, and reaching out to our critical vendors regarding indirect exposure.

Review of our codebases

All Nylas services are coded in Golang and Python, which greatly helps to limit our exposure. Our Java SDK is the only codebase written in Java that we maintain. During our investigation, we found that the codebase contained references to log4j-api:2.12.1, log4j-core:2.12.1, and log4j-slf4j-impl:2.12.1, which are vulnerable versions of the library. Fortunately, we confirmed that these references are only used for unit tests and examples, and customers using the SDK aren’t affected. Even so, a patch was released the morning of December 13th upgrading to Log4j version 2.15.0. None of our other codebases were exposed.

Scan of our environments

We continuously and automatically monitor all of our production environments for security risks using Lacework. One of Lacework’s features is to conduct ongoing scans for exposure to published vulnerabilities. Fortunately, Lacework’s team promptly added support for CVE-2021-44228, which enabled Nylas to comprehensively scan all of our hosts for the vulnerability. The search yielded no findings. Another important feature of Lacework is its ability to monitor event logs and notify our security team of any unusual activity (e.g. network activity with unknown servers). Out of an abundance of caution, we thoroughly reviewed the event history for any signs of a compromise and found nothing suspicious.

Third party inquiries

While our investigation confirmed Nylas isn’t directly vulnerable, we do rely on products and services provided by third parties that may make us indirectly vulnerable. Because of this, we enumerated our critical vendors and inquired regarding their exposure to CVE-2021-44228 and whether any Nylas data is at risk. This process is still on-going, and we’re committed to keeping customers informed as information becomes available. So far we haven’t received any indication of unauthorized access. For complete transparency, we’ll be keeping the following list up-to-date as we receive new information.

VendorResultNotes
AWSOn-goingWe’ve ensured all known affected components have been patched, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our AWS environments as more information becomes available.
GCPOn-goingWe’ve followed Google’s recommendations to safeguard all known affected components, and haven’t found any evidence of unauthorized access. We’re continuing to monitor our GCP environments as more information becomes available.
ZendeskSafeZendesk’s team hasn’t found any evidence Nylas has been impacted.
Honeycomb.ioSafeHoneycomb’s team confirmed they’re not vulnerable.
New RelicSafeWe don’t use the affected components.
LaceworkSafeLacework’s team confirmed they’re not vulnerable.
Harness.ioOn-goingWe’re awaiting a response from Harness’ team regarding any known impact to Nylas. In the meantime, we’re continuing to monitor our environments and haven’t found any evidence of unauthorized access.
CloudFlareSafeCloudFlare’s team hasn’t found any evidence Nylas has been impacted.
KongSafeKong’s team confirmed they’re not vulnerable.
TeleportSafeTeleport’s team confirmed they’re not vulnerable.
AivenSafeWe’ve confirmed all affected components have been patched, and we haven’t found any evidence of unauthorized access.

Our promise to customers

Our customers are always our number one priority and we will continue to put you first as we monitor this widespread security incident. Many of you have questions and we strive to maintain transparency and open communication as we roll out information both individually and collectively. 

Maintaining a secure environment is top-of-mind as you scale, which is why security is built into the core of our products. By setting a solid foundation to safeguard our customers, we are dedicated to protecting your data while enhancing team productivity. To read more about how Nylas helps organizations build integrations without risk, click here.

Related resources

Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are…

Building a security-first culture in your organization

In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…

Join Nylas in Toronto at Collision, June 20-23, 2022

How can you leverage communications data to deliver engaging experiences to your customers? Meet with our team at Collision to learn how you can turn communication into inspiration.