Log4j Vunerabillity and Smartsheet

Mary_AMary_A ✭✭✭✭✭
12/14/21
Accepted

Has anyone seen a statement or received a statement regarding the Log4J vulnerability and Smartsheet cloud or on prem? Just doing due diligence as regards this issue.


https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

Tags:

Best Answer

  • Genevieve P.Genevieve P. admin
    edited 12/23/21 Answer ✓

    Hi all,

    On December 9, 2021, Apache Foundation, a provider of enterprise apps and cloud services, was the target of a critical zero-day vulnerability in their Log4j2 logging library. We continue to track this issue and will take all necessary steps to maintain our strong security posture.

    Additional information related to the vulnerability is available at: https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

    If you need more specific information about your implementation of Smartsheet, please have your Smartsheet Account Admin contact your Smartsheet Account Representative or Smartsheet Support and they will be happy to provide them with up-to-date information.

    Thanks,

    Genevieve

Answers

  • I'm interested in this too. We use the cloud version, so mostly interested in that. This is in regard to CVE-2021-44228.

  • Mary_AMary_A ✭✭✭✭✭

    Update on this one had a call with my account manager and asked this. He is going to check and get back to me. I'll update if I get more from him.

  • Genevieve P.Genevieve P. admin
    edited 12/23/21 Answer ✓

    Hi all,

    On December 9, 2021, Apache Foundation, a provider of enterprise apps and cloud services, was the target of a critical zero-day vulnerability in their Log4j2 logging library. We continue to track this issue and will take all necessary steps to maintain our strong security posture.

    Additional information related to the vulnerability is available at: https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

    If you need more specific information about your implementation of Smartsheet, please have your Smartsheet Account Admin contact your Smartsheet Account Representative or Smartsheet Support and they will be happy to provide them with up-to-date information.

    Thanks,

    Genevieve

  • Mary_AMary_A ✭✭✭✭✭

    Thanks for the response @Garrett Henke , I am aware of the vulnerability information available. As Smartsheet investigates, it would be helpful if Smartsheet could maintain an advisory similar to what Citrix is maintaining, that would be helpful. Here is the Citrix Example I am referring to.

  • I would also like to know if there is any impact on smartsheet.

  • edited 12/15/21

    Our company is in need of something to provide as confirmation Smartsheet has addressed this issue too (something similar to the Citrix example Mary_A provided above). We have sent an inquiry to our Account rep.

  • We hope to receive a response here as well. Until now there was no reply to our mail adressing this issue.


    Thanks and best regards

  • Same. We are reaching out to all of our application providers and have received statements and status for most. It would be helpful to have a statement from SmartSheet.

  • edited 12/16/21

    While I appreciate Genevieve's answer, it doesn't contain enough information. An official statement from SmartSheet affirming that there is no inclusion / use of Log4J in SmartSheet's codebase nor in any included libraries or servers they are using, or a statement that it is in use and has been patched or otherwise remediated would be in order. We'll need this statement to address our customers' concerns as well.

  • The current statement says only that there has been no impact on the service, which could simply mean that the vulnerability has not yet been exploited. We need a more proactive statement, preferably one stating either that log4j is not used, or if it is used, that it is either patched or remediated.

  • +1 on this... We need a more proactive statement, preferably one stating either that log4j is not used, or if it is used, that it is either patched or remediated.

  • @Genevieve P. Hi, as several others have commented - the current statement is far from enough and basically means nothing. We need a clear communication from Smartsheet on the matter asap.

  • Has anyone received any information on this. I can't find anything anywhere.

  • Is there a public statement somewhere about whether or not Smartsheet is affected by Log4j and any mitigation/remediation?

This discussion has been closed.