Summary: Impact of the Vulnerability and Degreed
Updates
December 22, 2021
Degreed continues to monitor developments in the log4shell vulnerability (CVE-2021-44228, CVE-2021-4104 and CVE-2021-45046) and take recommended actions to ensure our systems are protected.
We completed the initial assessment of our internal application, systems, and tools (see How This Impacts Degreed, below, posted December 17, 2021). We are in contact with our third-party service providers to assess any impact to their systems related to the vulnerability.
To date, we have not discovered any unpatched or vulnerable systems, and we have not identified any breaches or suspicious activities.
What Happened
A critical code vulnerability (CVE-2021-44228) related to a Java-based logging library used in many Java-based applications was recently discovered.
What Does This Mean?
Organizations using Java applications could be vulnerable to external breaches. If successfully exploited, the vulnerability will result in attackers being able to perform an RCE (Remote Code Execution) attack.
How This Impacts Degreed
In short, Degreed itself doesn’t use Java, so we are not immediately impacted. However, we have been working since late last week to assess any impact with our third-party service providers and sub processors. So far, we have not identified any breaches or vulnerabilities.
What We Commit To You
We will send a follow up communication once our canvas of all sub processors is complete and we can confirm no vulnerabilities were found.
We will continue to update this page with updates as we have them. If our search uncovers any unauthorized access due to this vulnerability, we will notify any affected clients according to established notification procedures.
We will continue to update everyone here as the situation progresses.
Please follow up with your account team if you have any additional questions at this time. Thank you!