InVision Response to Industry Security Incidents
  • 20 Jan 2023
  • 1 Minute to read
  • Dark
    Light

InVision Response to Industry Security Incidents

  • Dark
    Light

Article Summary

When technology companies disclose breaches, security incidents, and/or critical vulnerabilities, InVision often receives inquiries from our customers to better understand whether these incidents impact InVision services. This page provides easily accessible information regarding the potential impact of certain widely publicized security incidents on InVision’s services and customer data.
InVision constantly monitors for, reviews, and analyzes such of those security breaches, incidents, and vulnerabilities that are relevant to our business. In addition to the list provided below, there may be additional security events and/or incidents that are being reviewed. However, due to the sensitive nature of these investigations, we are unable to publish information regarding every security event and/or incident we review. Rest assured that if InVision customers are impacted by any security breach or incident, in addition to those listed on this page, we will notify affected customers in accordance with our terms and conditions.

Industry security incident details

Date

December 10, 2021

Organization/product

Apache Log4j

Incident overview

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVEs: CVE-2021-44228
Related CVEs: CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

InVision customer impact

None

InVision impact details

No externally accessible InVision services were determined to be vulnerable to Log4Shell or related Log4j vulnerabilities.

However, InVision does use a limited number of affected third party technologies within our internal infrastructure. While these third party technologies are not externally accessible, and are non-customer/platform impacting, InVision has taken appropriate steps to mitigate the Log4j vulnerabilities across all impacted services.


Was this article helpful?