Security announcements

If any critical security issues arise, we may provide comment about the impact to Redox below. The announcements are sorted by date, with the most recent announcement at the top of this page.

Log4Shell vulnerability

December 14, 2021

With regards to the recently-disclosed "Log4Shell" vulnerability in the Apache Log4j project (CVE-2021-44228): Redox has been reviewing our environment to identify any hosts, services, or third party components that had the potential to be vulnerable.

In summary, Redox has not been impacted by the Log4j vulnerability.

In detail:

  • Once the vulnerability was publicly disclosed, Redox promptly began an audit of our software and infrastructure, and engaged with third party software vendors to identify potential exposure.
  • Redox doesn't use Log4j or Log4j2 in our development stack.
  • We have audited third-party software in our production environment. After review, we don't believe components utilizing Log4j or Log4j2 are vulnerable. In line with our vulnerability and change management procedures, and out of an abundance of caution, we're updating these components to new versions.
  • We have also audited our log systems and found no successful attempts to leverage the vulnerability.

Redox’s security team will continue to monitor our environment to help ensure the CVE-2021-44228 vulnerability is fully addressed and does not impact our customers’ data.

See the official comment release.