Miro is aware of the recent vulnerability releases related to Log4j, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832.

— Miro continues to follow our vulnerability management process in patching Miro services to address the Log4j2 vulnerability. — All Java Log4J applications have been patched and updated — Miro has implemented blocks in its WAF for these CVEs related to the Log4j2 vulnerability — Miro has validated that blocks in in its WAF are in place — Miro currently does not have any systems susceptible to this attack that are not patched or mitigated.

In the wake of the additional Log4j vulnerability (CVE-2021-45046), we wanted to take a moment to update our clients on Miro’s status regarding the vulnerability:

Yes. The Miro application does use the Log4j library and therefore was impacted by this vulnerability. Miro became aware of the vulnerability on 10 December 2021 and has been monitoring the issue since.

— Miro continues to follow our vulnerability management process in patching Miro services to address the Log4j2 vulnerability referenced in CVE-2021-44228 and CVE-2021-45046. — All Java Log4J applications have been patched and updated — Miro has implemented blocks in its WAF for these CVEs related to the Log4j2 vulnerability — Miro has validated that blocks in in its WAF are in place — Miro currently does not have any systems susceptible to this attack that are not patched or mitigated.

No. At this time, after triage and containment, Miro has no indicators of exploitation or data exfiltration from Miro systems. Miro continues to monitor and review. If Miro becomes aware of unauthorized access to client data, we will notify impacted clients without undue delay.

Yes, we have logging and monitoring in place and logs are regularly reviewed. Miro will continue to analyze data and monitor the situation and share updates, if necessary, as they become available. If you have any further questions please reach out to your Customer Success Manager or contact Support. Sincerely, The Miro Trust Team

This update from the Miro Security team is to notify you that the recently disclosed Java Log4j RCE vulnerability (CVE-2021-44228) affects all versions from 2.0-beta9 to 2.14.1. A summary is provided below of how Miro is ensuring rapid remediation and mitigation to keep customer content and data secure. Miro is aware of the recent vulnerability releases related to Log4j, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832.

— No additional actions are required from the customers — Miro has rolled out the updates to detect and mitigate CVE-2021-44228 — Where immediate removal may be problematic, Miro has implemented mitigation controls with firewall blocking and extended monitoring and alerting — Attempts at exploitation will be automatically blocked at the Miro firewall level

A 0-day exploit in the Java core library log4j was discovered that results in Remote Code Execution (RCE). Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. The attack surface is very wide, since it’s almost impossible to find any single Java project without the log4j library enabled. It affects internal services and APIs that are based on Java and uses other API and application data to log them.

Please contact your Customer Success Manager or Support