Update December 13: At this time, we have no reason to believe any Broadsign systems are at risk from the log4j/Log4Shell vulnerability. We have conducted an in-depth audit and have detected no vulnerabilities. We will, however, continue to monitor our systems closely as an extra precaution and will update this blog post with any new information.
Log4j & Broadsign in more detail
In early December, a vulnerability in the log4j open-source logging library, called “Log4Shell,” was detected. Log4j is a library used widely by technology companies around the world, and Log4Shell enables bad actors to exploit this library to execute remote code on vulnerable servers with relative ease.
Upon the announcement of this vulnerability, our team immediately performed a review of our systems. Based on this review, we can say the following:
- We have no reason to believe that any components of the Broadsign platform are at risk
- Log4j is not in use in any of our products or internal systems
We will continue to monitor this situation as it evolves and make any additional updates to this post whenever new information arises.
The log4j vulnerability & Broadsign API services
While Broadsign’s core services do not appear to be impacted by this vulnerability, we encourage you to verify any integration projects you have created using the Broadsign API services.
In the event that you are making use of Broadsign API services and have used Java/Log4j in any integration projects with any part of the Broadsign Platform, we strongly encourage you to perform an in-depth analysis to make sure that you are not exposed to this vulnerability. Remote attackers could use this as a point of entry to potentially gain access to your API keys.