When technology companies disclose breaches, security incidents, and/or critical vulnerabilities, InVision often receives inquiries from our customers to better understand whether these incidents impact InVision services. This page provides easily accessible information regarding the potential impact of certain widely publicized security incidents on InVision’s services and customer data.
InVision constantly monitors for, reviews, and analyzes such of those security breaches, incidents, and vulnerabilities that are relevant to our business. In addition to the list provided below, there may be additional security events and/or incidents that are being reviewed. However, due to the sensitive nature of these investigations, we are unable to publish information regarding every security event and/or incident we review. Rest assured that if InVision customers are impacted by any security breach or incident, in addition to those listed on this page, we will notify affected customers in accordance with our terms and conditions.
Industry security incident details
Date
December 10, 2021
Organization/product
Apache Log4j
Incident overview
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
CVEs: CVE-2021-44228
Related CVEs: CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
InVision customer impact
None
InVision impact details
No externally accessible InVision services were determined to be vulnerable to Log4Shell or related Log4j vulnerabilities.
However, InVision does use a limited number of affected third party technologies within our internal infrastructure. While these third party technologies are not externally accessible, and are non-customer/platform impacting, InVision has taken appropriate steps to mitigate the Log4j vulnerabilities across all impacted services.
