Workday Response on CVE-2021-44228 Apache Log4j
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228).
December 22
All environments containing Customer Data have been updated to mitigate the vulnerabilities identified in CVE-2021-44228 and CVE-2021-45046.
December 18
All environments we have identified containing Customer Data running versions of Log4j vulnerable to CVE-2021-44228 have been patched.
December 16
Apache Log4j Vulnerability—Initial Findings
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228). To date, we haven’t found any indication that Customer Data or environments containing Customer Data have been affected.
The vulnerability, disclosed on December 9, allows an attacker to execute code on a remote server if the system logs an attacker modified string value on an exposed endpoint. The Log4j library is used widely in Java-based applications, including within the Workday service.
Workday Response
Upon learning of the vulnerability, we immediately initiated an investigation to determine its potential impact. We use Log4j in a number of Workday environments, and we've tested and deployed recommended mitigation techniques and remediation patches against this vulnerability in environments across the Workday service. Our efforts have included intrusion prevention via upgrades to our firewalls as well as upgrades of the Log4j library directly used by Workday and included in other software packages.
Continued Efforts
As part of our standard operating procedure, we’ll continue to monitor any environments that may be affected by Log4j and will deploy additional mitigation and remediation steps as needed.
This advisory will be updated as more information becomes available. For customers with additional inquiries, please create a support ticket or refer to our Information Security and Trust page on Workday Community.
More Reading
-
What the New EU-US Data Privacy Framework Means for Cross-Border Data Transfers
The seamless transfer of data between the United States and European Union plays a vital role in driving the digital economy and enabling multinational companies to effectively manage their global workforces. Workday Chief Privacy Officer Barbara Cosgrove shares an update on what the new EU-US Data Privacy Framework means for Workday customers, and for the future.
-
Safeguarding Privacy While Innovating With AI at Workday
Workday Chief Privacy Officer Barbara Cosgrove discusses the growing focus on the convergence of data privacy and artificial intelligence (AI). Learn how Workday balances privacy with the need to maximize value from AI technology.
-
Upholding Ethics and Integrity to Fuel Innovation and Technology Excellence
For the third consecutive year, Workday has been named one of The World’s Most Ethical Companies® by Ethisphere Institute, an honor we share with more than 50 Workday customers and partners. Chris Fedrow, chief compliance officer at Workday, discusses the importance of integrity.
