We expect that many of you have learned about the Apache Log4j vulnerability which has been widely covered in the media since Thursday, December 9, 2021.
Apache Log4j is a popular logging library, in use across many software projects and organizations. A Remote Code Execution vulnerability (CVE-2021-44228) is present in versions of this library prior to 2.15.0, which could allow an adversary to execute code on systems where it can control log messages or log message parameters.
We are reaching out to you to make you aware of this third party security event, and ensure that you validate the use of Log4j in any integrations you develop for the Zendesk platform.
If you use Log4j, we recommend you immediately install the appropriate update or mitigations to protect your integration and our mutual customers.
You can find more information about the vulnerability here, along with details about the update released by the Apache Software Foundation and appropriate mitigation steps. Because information on this vulnerability is continuing to evolve, we highly recommend reviewing these resources regularly.
Please also refer to our public security advisory here to learn more about Zendesk’s response to this vulnerability.