LaunchDarkly Audit Shows Systems Unaffected by Log4j Vulnerability featured image

LaunchDarkly prioritizes the security of our customers' data. That’s why last week, when researchers discovered a significant vulnerability in the widely-used Java library Log4j, the LaunchDarkly Security team conducted an immediate investigation to determine how the vulnerability impacted our systems.

First, we confirmed that the SDKs and container images we ship to customers were not directly impacted. Specifically, for our Java libraries:

  1. Our Java Server SDK uses SLF4J as its logging API, which utilizes a facade pattern and doesn’t have any runtime or build-time dependencies on Log4j. If you use this SDK and configure Log4j as the logging implementation, you should ensure that you are not on a vulnerable version or have implemented alternative countermeasures.
  2. Our Java API client can optionally do logging of HTTP requests using OkHttp's logging feature, which uses the java.util.logging API under the hood.

In addition, the LaunchDarkly Relay Proxy does not rely on Java in any way, and is therefore unaffected.

While we have a limited footprint of internal infrastructure that relies on Java and JVM technologies, we conducted a system audit with our engineering team and remediated any potential issues. We will continue to monitor the situation and implement patches from third-party services within our infrastructure as they become available.

Finally, we audited for evidence of successful exploitation in our Security Information and Event Management (SIEM) system and did not find any. We will continue to monitor for malicious activity and introduce vulnerability-specific signatures in our relevant detection and prevention infrastructure.

Whenever you send your data to LaunchDarkly, you trust us to secure it by following industry-recognized security best practices. We hope this post increases transparency and provides assurance around how the Log4j vulnerability affects the data of LaunchDarkly customers. Please let us know if you have any additional questions and concerns at security@launchdarkly.com.

Related Content

More about Team & News

December 14, 2021