You may have seen news recently about a security flaw in a common software library called Log4j that could affect large portions of the internet. Also known as CVE-2021-44228, the vulnerability is specific to Java-based services. A successful attack could potentially allow an attacker to access host data and resources.
At Marin Software, the privacy and integrity of our customers' data is a top priority. Marin has evaluated its primary external services and preliminarily determined there is limited vulnerability, if any, to the log4j issue.
- MarinOne, Marin Enterprise, Marin Social, Marin Go, and Marin Labs: Internet-facing services are non-Java.
- BI Connect: all components have been upgraded to remediate against the vulnerability.
- Marin Tracker: runs “outside the firewall” and communicates via asynchronous file transfer using a non-Java mechanism.
- Marin hardware, OS, and network infrastructure: confirmed cleared of vulnerability per vendor statements.
Because of the evolving nature of the threat and the high volume of potential attacks at this time, Marin will continue to investigate these services as well as secondary / internal services. For publisher remediation status, customers should contact those publishers directly.
Update published January 5, 2021:
Marin has completed its assessment of the Marin application. We believe that the Marin application host systems and related data are currently protected from the vulnerability noted above and related Log4j vulnerabilities. We believe the Marin application host systems and related data were not compromised. Our conclusions are based on many factors, including but not limited to a lack of Java-based external services, tightly circumscribed host settings and network privileges, and communications with third party vendors. As part of a defense-in-depth approach to system security, Marin has also taken several steps recently that have been designed to create additional protections against this class of vulnerabilities.
Marin will continue to evaluate any vulnerabilities as they come up, and we will work to comply with industry best-practices in application, host, and network security.