With news of the security issue associated with Apache Log4j, the Java-based logging utility, breaking in early-December, Novade’s teams have been reviewing the security of the platform and back-end systems ever since.

We would like to inform that none of the core functionalities of Novade uses any version of Log4j library. A plug-in called the Windward Custom Reports uses Log4j but it is hosted on a separate server.

We can also confirm that our client services have not been impacted by this vulnerability.

Here is the timeline of actions carried out by Novade to ensure that the Windward vulnerability is secured:

  • 13 December: We confirmed that Novade uses Java 8. Log4j version 2.11 was used for Windward Custom Reports. Following the mitigation action from Apache, we updated the environment variable of the server LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • 14 December: Apache found a new vulnerability and released an announcement to update Log4j to version 2.16 to address that vulnerability. We updated our server to Log4j version 2.16 on the same day.
  • 17 December: A third vulnerability was found, and Apache released Log4j version 2.17 which we promptly updated in our server. Version 2.17 is the latest patch, and no other vulnerability is found.

Due to the nature of this vulnerability, our teams continue to actively monitor for updates from Apache on any new vulnerability and will patch our server accordingly. We are ready to respond and provide additional information if necessary.

Novade’s top priority remains in the security of all our clients and products. We appreciate your trust in us as we continue to make your security our top priority.

Thank you,
The Novade Team