Log4j security gap closed: VIER customers are safe!
20 Dec, 2021 15:00
Tobias Hoffmann, In mid-December, more precisely on 10 December 2021, the German Federal Office for Information Security, BSI, warned of a security vulnerability in a logging library for Java applications. Why was VIER also affected by this vulnerability?
Specifically, it was about Log4j, a logging library that records events in server operation as if in a logbook. The security vulnerability affects versions 2.0 to 2.14.1. Through the security vulnerability, attackers have or had the possibility to install malware on other servers. And since Log4j is very widespread in the area of Java technology, such a security vulnerability affects countless companies - global corporations as well as small businesses, but also providers and thus their customers. But because VIER worked closely with the BSI, we were able to react immediately to this security warning.
The warning from the BSI came on Monday, 10 December. VIER has already closed this vulnerability on 13 December - how did that work?
Based on our Data Protection and Information Security Team (DIST), we immediately initiated appropriate countermeasures for the affected VIER products, i.e. we installed patches 2.17.0 for VIER engage and VIER Conversational AI. At this point, I would like to thank all colleagues who immediately took action and worked a lot of overtime! As a result, we were able to give our customers the all-clear as early as 13 January.
This means that the VIER clients who work with VIER engage and VIER Conversational AI do not have to worry about the security of their data?
That's right. Through our close cooperation with the BSI and the immediate implementation of countermeasures, we were able to prevent our systems from being compromised. In addition, we are of course continuously checking whether VIER systems were affected at all. So far, we have not been able to determine this.
What about 3rd party products that VIER offers?
There, we rely on patches from the manufacturers and install them as soon as the patches are available. As a transitional measure, however, we have secured the corresponding products by deactivating or isolating them. This means that these 3rd party products are currently NOT accessible from the internet, but are therefore also not vulnerable. However, we are convinced that the affected manufacturers will provide the patches as soon as possible and that our customers will then be able to work as usual again. We are in close contact with our customers.