On December 9, 2021, The Apache Software Foundation publicly disclosed a remote code execution (RCE) vulnerability (CVE-2021-44228) in its popular Java logging library Log4j. Upon identification of the security advisory, Acoustic began the process of evaluating the potential impact to Acoustic, including the Acoustic Marketing Cloud, Tealeaf by Acoustic, and DemandTec.

What has Acoustic completed to date?

Acoustic quickly reviewed our platform and discovered instances of the vulnerable version of Log4j. We patched or mitigated identified libraries, but the nature of this vulnerability is such that the industry guidance for remediation has continued to evolve over time and Apache subsequently announced new but related vulnerabilities (including CVE-2021-45046, CVE-2021-4104, CVE-2021-45105). Acoustic has worked diligently to remain current with the latest industry recommendations and we will continue to monitor this situation and the evolving guidance on remediation options.

Due to the widespread and pervasive nature of this vulnerability across the global software ecosystem, Acoustic is also actively working with our technology partners to ensure that the testing, validation, and remediation process for this vulnerability is being comprehensively applied.

In addition, Acoustic has aggressively monitored and tested for any attempted exploitations of this vulnerability since its release, and we continue to do so.

Update as of January 6, 2022

Acoustic is aware of CVE-2021-44832, which affects Log4j versions through 2.17.0, and requires specific configurations to allow exploitation through an RCE attack. Acoustic has reviewed the vulnerability; based on the specific configurations required and existing protections and mitigations in place, Acoustic will follow our standard remediation process for vulnerabilities. Acoustic continues to monitor updates and developments of Log4j vulnerabilities. We are continuously monitoring Acoustic systems and environments for Log4j vulnerabilities and attempted exploitation.

Next Steps

Acoustic will continue to post any updates here if there are any changes. If you are an Acoustic customer and have further questions, please reach out to your Customer Support partner or our Support team.

Last updated: January 6, 2022

Acoustic’s position on the Log4j vulnerability