Is expensify vulnerable to the log4j RCE vulnerability being circulated on the internet?
A serious security flaw exists in a popular logging module called log4j. Can you please confirm if Expensify is vulnerable to this issue and if so what the plan is to remediate and protect customer data during this time?
Answers
-
@andrewlawrence Thanks for your query about the critical vulnerability in Log4j reported Friday, December 10th (CVE-2021-44228).
Our security and engineering teams have worked around the clock to identify and mitigate any instances of this vulnerability in our systems and have so far concluded that Expensify has not been impacted. As ever, we continue to monitor for updates to security advisories as well as any evidence of compromise to Expensify. We will contact you if anything changes.
Developers relying on Log4j should mitigate the risk posed by this vulnerability immediately by following the guidance from Apache.
