Log4j2 & HubSpot

This page was originally published December 14, 2021 and was last updated on September 6, 2022.

Log4j2 & HubSpot

HubSpot is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that the security of your HubSpot tools is especially important given the uncertainty around these events. HubSpot customer-facing tools do not use Log4j2 as a logging tool, and are not susceptible to the vulnerabilities that have been discovered thus far.

We are committed to continued monitoring of the situation, thorough review of the HubSpot tools as new information becomes available, and to do our best to provide you with the information you need to feel secure for your business.

What is Log4j2?

Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.

Was HubSpot affected? 

We have performed a thorough investigation and found no HubSpot customer-facing tools that use Log4j2. 

Since we became aware of the vulnerability, HubSpot has taken a number of steps to identify and mitigate any risk to our products and our customers. We have implemented:

  • Full scans of all production services to confirm that they don't have a dependency on the Log4j2 library. Precautions to prevent use of the vulnerable version of Log4j2 in future systems. 
  • Updated Web Application Firewall rules to avert exploitation attempts.
  • We will continue regular vulnerability scans on all HubSpot systems as outlined in our security resources.

We have requested details of any potential vulnerabilities from all sub-processors of the HubSpot product, and are monitoring their responses. HubSpot’s most important sub-processors, including Amazon Web Services, Google Cloud, Cloudflare, and Snowflake were either not vulnerable or have already begun patching the vulnerability across their networks.

HubSpot Corporate Security, which monitors the internal tools that HubSpot employees use, is systematically reviewing each HubSpot Corporate internal system. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.

 We will continue to investigate any potential exposure to this vulnerability and alert our customers as required. At this time, HubSpot customers do not need to take any action related to their use of HubSpot software.

 If you have specific questions related to this event, please contact HubSpot Support.  

 

Update - September 6, 2022

A vulnerable version of Log4j was discovered in HubSpot’s infrastructure by a security researcher and responsibly  disclosed to us through the HubSpot bug bounty program on August 28, 2022. 

HubSpot investigated the reported findings and performed the following actions:

  • Confirmed that a small legacy portion of our logging infrastructure contained the vulnerable version of Log4j
  • Patched and fixed the affected service to remove the vulnerability
  • Inspected multiple log sources to confirm that no malicious attempts to exploit the vulnerability had been found 

At this time, no action is required by HubSpot customers. HubSpot Security will continue to monitor for any potential exposure to this vulnerability and assess additional safeguards to help prevent future exploitation. We will update this page as needed.