Workday Response on CVE-2021-44228 Apache Log4j
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228).
December 22
All environments containing Customer Data have been updated to mitigate the vulnerabilities identified in CVE-2021-44228 and CVE-2021-45046.
December 18
All environments we have identified containing Customer Data running versions of Log4j vulnerable to CVE-2021-44228 have been patched.
December 16
Apache Log4j Vulnerability—Initial Findings
Workday's security team continues to investigate and address the Apache Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228). To date, we haven’t found any indication that Customer Data or environments containing Customer Data have been affected.
The vulnerability, disclosed on December 9, allows an attacker to execute code on a remote server if the system logs an attacker modified string value on an exposed endpoint. The Log4j library is used widely in Java-based applications, including within the Workday service.
Workday Response
Upon learning of the vulnerability, we immediately initiated an investigation to determine its potential impact. We use Log4j in a number of Workday environments, and we've tested and deployed recommended mitigation techniques and remediation patches against this vulnerability in environments across the Workday service. Our efforts have included intrusion prevention via upgrades to our firewalls as well as upgrades of the Log4j library directly used by Workday and included in other software packages.
Continued Efforts
As part of our standard operating procedure, we’ll continue to monitor any environments that may be affected by Log4j and will deploy additional mitigation and remediation steps as needed.
This advisory will be updated as more information becomes available. For customers with additional inquiries, please create a support ticket or refer to our Information Security and Trust page on Workday Community.
More Reading
-
Workday Celebrates Global Ethics Day
To recognize the importance of ethics in the workplace, Workday leaders share how integrity and ethical behavior impact how they show up as leaders and influence their approaches to innovation and transformation. We also celebrate Workday’s receipt of the 2024 World’s Most Ethical Companies Award.
-
Workday Podcast: Embracing Skills-Based Hiring in the Public Sector
Chandler Morse, vice president of public policy at Workday, chats with a leader at Opportunity@Work on the progress being made toward skills-based hiring in governments and agencies.
-
What Workday Is Doing to Move Global Privacy Forward
Workday is committed to safeguarding global privacy by anticipating regulatory changes and supporting customers with compliance across diverse privacy laws worldwide. Workday Chief Privacy Officer Barbara Cosgrove shares more about our proactive approach, including our dedicated privacy team, ongoing employee education, and the integration of privacy and AI principles into our products and practices.
