An update on the Apache Log4j2 vulnerability

UPDATE: We have now confirmed all third-party vendors have been patched to address the issues currently identified in both CVE-2021-44228 and CVE-2021-45046.

A quick summary

On Dec. 9, 2021, we learned of a critical vulnerability in Log4j, a Java library from the Apache Software Foundation, described in CVE-2021-44228. A short time later, we learned of CVE-2021-45046, also implicating Log4j. Slack, like many cloud-based services, uses Log4j to process logs.

We immediately took steps to assess our infrastructure and client applications and to make updates mitigating the impact of the vulnerability. We completed our initial mitigation of CVE-2021-44228 on Dec. 13, 2021, and our mitigation for CVE-2021-45046 on December 17. As of Dec. 17, 2021, we have applied all necessary patches and mitigations to Slack’s production services vulnerable to the issues currently identified in CVE-2021-44228 and CVE-2021-45046 and we are executing our final validation steps.

Who was impacted?

We have not yet completed our impact analysis. For any vulnerability putting the Slack.com service and customer data at risk, we conduct an investigation to determine if the vulnerability was exploited by attackers to gain access to customer data. This investigation is in process for CVE-2021-44228 and CVE-2021-45046 and may take some time to complete. If we discover that any customer’s data was compromised as a result of this vulnerability, we will contact the customer without undue delay.

What’s left for Slack to do?

We are still verifying that nothing was missed in the mitigation process, ensuring temporary mitigations are made permanent, and investigating to determine if any customer’s data was affected during the time that Slack was vulnerable.

[Editor’s note: The status of third-party vendors has now been confirmed, see update above.] Also, we are still awaiting confirmation from some vendors that their services are fully patched. We will continue to monitor for developments related to the Log4J vulnerabilities and update our mitigations if necessary.

What do I need to do?

If applicable, we recommend that customers investigate risks related to Slack integrations (see below). The Slack service itself was updated on the back end. Customers do not need to update their clients, which did not use Log4j, or make any change to receive the patches and mitigations deployed to protect the Slack service.

For those who need more details

To respond to these vulnerabilities, we inspected our servers in production, development and corporate operating environments, our code repositories, and running production processes to identify all potential uses of Log4j. We used this data to compile a list of all potentially vulnerable services and began applying patches or workarounds to mitigate the potential impact of the issue. At this time, we have mitigations in place for the Slack service that align with the recommendations of CVE-2021-44228 and CVE-2021-45046. We are continuing to assess the potential impact of these vulnerabilities as new information is provided.

While the Slack service and API process data using Log4j, Slack clients for mobile and desktop were not affected by these vulnerabilities, as they do not use Log4j.

We are not able to evaluate the effect of these vulnerabilities on the service providers in our app directory. These service providers may or may not use Log4j. Please contact service providers directly for more information using the “Get support” link on the app’s listing in Slack’s App Directory.

If you have created your own integrations that interact with data in Slack (aka, “custom integrations”), you should review the implications this may have on your own use of Log4j to ensure:

• The data that you write TO Slack via these custom integrations is Slack’s responsibility to protect and Slack’s servers have been updated to mitigate the Log4j vulnerabilities, per information provided above.
• The data that you read FROM Slack and deliver to your own infrastructure presents lower risk if all of the data in your Slack workspace is from trusted sources.
• However, if any sources that you do not fully trust are posting data to your Slack workspace, you should immediately ensure that any infrastructure you host that supports logging via Log4j has been patched and is fully up to date.

What else is there to know?

There are several good sources to provide background information about the Log4j library and its issues. For those who want more context, we recommend:

• A plain-language explanation of the problem
• In the news
• Details from Apache

For technical questions, please reach out to members of the Slack support team. They will be happy to create a case.