Workday Response on CVE-2021-44228 Apache Log4j
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228).
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228).
All environments containing Customer Data have been updated to mitigate the vulnerabilities identified in CVE-2021-44228 and CVE-2021-45046.
All environments we have identified containing Customer Data running versions of Log4j vulnerable to CVE-2021-44228 have been patched.
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228). To date, we haven’t found any indication that Customer Data or environments containing Customer Data have been affected.
The vulnerability, disclosed on December 9, allows an attacker to execute code on a remote server if the system logs an attacker modified string value on an exposed endpoint. The Log4j library is used widely in Java-based applications, including within the Workday service.
Upon learning of the vulnerability, we immediately initiated an investigation to determine its potential impact. We use Log4j in a number of Workday environments, and we've tested and deployed recommended mitigation techniques and remediation patches against this vulnerability in environments across the Workday service. Our efforts have included intrusion prevention via upgrades to our firewalls as well as upgrades of the Log4j library directly used by Workday and included in other software packages.
As part of our standard operating procedure, we’ll continue to monitor any environments that may be affected by Log4j and will deploy additional mitigation and remediation steps as needed.
This advisory will be updated as more information becomes available. For customers with additional inquiries, please create a support ticket or refer to our Information Security and Trust page on Workday Community.
More Reading
The seamless transfer of data between the United States and European Union plays a vital role in driving the digital economy, and enabling multinational companies to effectively manage their global workforces. Workday Chief Privacy Officer Barbara Cosgrove shares what the Executive Order on transatlantic data transfers means for Workday customers, and for the future.
In this article, we’ll discuss the challenges facing the European banking sector, the risks and barriers organisations face on the path to digital transformation, and how the sector will benefit from increased agility.
Safeguarding our customers’ data is a top priority at Workday. Stephen Boyle, Workday’s chief trust officer, discusses how we infuse security into everything we do.