Workday Response on CVE-2021-44228 Apache Log4j

December 22

All environments containing Customer Data have been updated to mitigate the vulnerabilities identified in CVE-2021-44228 and CVE-2021-45046.

December 18

All environments we have identified containing Customer Data running versions of Log4j vulnerable to CVE-2021-44228 have been patched.

December 16

Apache Log4j Vulnerability—Initial Findings 

Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228). To date, we haven’t found any indication that Customer Data or environments containing Customer Data have been affected. 

The vulnerability, disclosed on December 9, allows an attacker to execute code on a remote server if the system logs an attacker modified string value on an exposed endpoint. The Log4j library is used widely in Java-based applications, including within the Workday service.  

Workday Response

Upon learning of the vulnerability, we immediately initiated an investigation to determine its potential impact. We use Log4j in a number of Workday environments, and we've tested and deployed recommended mitigation techniques and remediation patches against this vulnerability in environments across the Workday service. Our efforts have included intrusion prevention via upgrades to our firewalls as well as upgrades of the Log4j library directly used by Workday and included in other software packages. 

Continued Efforts

As part of our standard operating procedure, we’ll continue to monitor any environments that may be affected by Log4j and will deploy additional mitigation and remediation steps as needed. 

This advisory will be updated as more information becomes available. For customers with additional inquiries, please create a support ticket or refer to our Information Security and Trust page on Workday Community.