Log4j2 & HubSpot

Hubspot is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that trust in the security of your HubSpot tools is especially important given the uncertainty around these events. HubSpot products and customer-facing tools do not use Log4j2 as a logging tool, and are not susceptible to the vulnerabilities that have been discovered thus far.

We are committed to continued monitoring of the situation, thorough review of the HubSpot tools as new information becomes available, and to do our best to provide you with the information you need to feel secure for your business.

What is Log4j2?

Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.

Was HubSpot affected? 

We have performed a thorough investigation and found no HubSpot products or customer-facing tools which make use of Log4j2

Since we became aware of the vulnerability, HubSpot has taken a number of steps to identify and mitigate any risk in our products to our customers. We have implemented:

  • Full scans of all production services to confirm that they don't have a dependency on the Log4j2 library. HubSpot products use a different logging library and do not rely on Log4j2
  • Precautions to prevent any use of the vulnerable version of Log4j2 in future systems 
  • Updated Web Application Firewall rules to help prevent exploitation attempts
  • We will continue regular vulnerability scans on all HubSpot systems as outlined in our security resources 

 

We have requested details of any potential vulnerabilities from all sub-processors of the HubSpot product, and are monitoring their responses. HubSpot’s most important sub-processors, including Amazon Web Services , Google Cloud, Cloudflare, and Snowflake were either not vulnerable, or have already begun patching the vulnerability across their networks.

 

HubSpot Corporate Security, which monitors the internal tools that HubSpot employees use, is systematically reviewing each HubSpot Corporate internal system. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.

 

We will continue to investigate any potential exposure to this vulnerability and alert our customers as required. At this time, HubSpot customers do not need to take any action related to their use of HubSpot software.

 

If you have specific questions related to this event, please contact HubSpot Support.