Late last week, an Apache Log4j vulnerability was discovered as an exploit targeting Minecraft servers, but the vulnerability has been detected internet-wide.
Log4j is an open source java package which enables logging. Check GitHub CVE-2021-44228 report for more information and review reports about Log4Shell.
After a review, Tiny can confirm that none of our Enterprise or Cloud services use Log4j and therefore our services are not at risk.
Tiny makes use of log4s for logging and any logging related development. The log4s project makes use of the slf4j API. While slf4j can be used with log4j, Tiny uses the logback backend, which is not affected by the same vulnerability as Log4j.
Security management at Tiny
Security management is important to us, and our customers, that’s why we prioritize security investigations.
How do you report security issues?
Anyone can report a vulnerability by emailing information to firstname.lastname@example.org, including any information on how it was discovered. Tiny customers may also log issues through the Tiny support system.
When we receive a security report, our InfoSec team assesses the severity and impact of the issue, then they decide on a course of action.
If the issue requires a product change, we then consult the responsible engineering team.
Security issues are prioritized
The engineering team then addresses and patches the issue in all supported versions. Open source versions receive attention first, followed by commercial versions.
Once we’ve completed the patch for commercial versions, a security alert is issued. GitHub security reports are an ideal place to issue alerts, since GitHub’s wide adoption means the widest number of users and companies can see the alert and integrate an update into their patching workflow.