Statement on the Log4J vulnerability (CVE-2021-44228)

WattIQ is committed to fast response to all critical security vulnerabilities, including those which may affect third-party subprocessors. This page describes our response to the "Log4J vulnerability" (CVE-2021-44228).

Contact us

On Dec 9th, 2021, security researchers published a report of a high risk “zero day” vulnerability (CVE-2021-44228) affecting a common software package (Apache Log4J) that can allow remote code execution. Because Log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex and its impact is still being uncovered.

WattIQ does not currently use Java or the JVM in any of its products, and thus does not use Log4J at all.

We do host our cloud services on AWS and employ several third-party subprocessor/vendors part of our production services, and thus we have been monitoring their efforts to assess, catalog, and mitigate their exposure. As of December 16 2021, all of WattIQ’s third-party subprocessors have either made public announcements that they have no exposure, or have assessed and mitigated by updating to non-vulnerable versions of Log4J.

We will continue to monitor the vendors who are engaged in mitigation for further announcements, since this CVE is severe.