Caseware is ensuring customers are protected against Log4j vulnerabilities
Published: January 07, 2022
The Apache Software Foundation recently released a security advisory concerning the Apache Log4j Java logging library. Caseware is providing the information below to customers to reassure them that appropriate actions are being taken to ensure their Caseware software systems are protected from this threat.
Issue Summary
On December 10, 2021, a critical remote code vulnerability was published concerning the Apache Log4j library.
Caseware has reviewed the recently published Apache Log4j Remote Code Execution vulnerability tracked in CVE-2021-44228 and assessed impact to our products. The security of our products is a top priority and critical to protecting our customers.
What Caseware is Doing
In response to the recently published vulnerability of Log4j (CVE-2021-44228), the Caseware team has rigorously reviewed any potential exposure and risks arising from the vulnerability.
The Security and broader Technology teams have taken appropriate steps to evaluate and, if applicable, mitigate this particular threat. Due to the sensitive nature and complexity of how potential vulnerabilities are addressed, we do not disclose specific actions or details regarding our controls or procedures.
All Caseware products managed by customers themselves (commonly referred to as "on-premise" or "desktop" solutions) are not impacted. This includes Caseware Working Papers and Caseware IDEA.
We have updated all known areas of impact to our Caseware Cloud offering. There has been no indication or discovery of compromise. As part of our regular security controls, we continue to monitor systems under normal operation procedure across all Caseware services and environments.
Information for our Customers
Caseware customers do not need to take any additional action.
Keeping customers' data secure is always our top priority. We have a well-established vulnerability management program that monitors multiple sources of threat intelligence for all relevant threats and vulnerabilities based on our technology stacks. All applicable, potential vulnerabilities are reviewed, rated, assigned SLAs, and remediated as appropriate. In addition, we continuously scan and monitor our applications and systems for new, potential vulnerabilities.