Hubspot is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that trust in the security of your HubSpot tools is especially important given the uncertainty around these events. HubSpot products and customer-facing tools do not use Log4j2 as a logging tool, and are not susceptible to the vulnerabilities that have been discovered thus far.
We are committed to continued monitoring of the situation, thorough review of the HubSpot tools as new information becomes available, and to do our best to provide you with the information you need to feel secure for your business.
What is Log4j2?
Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.
Was HubSpot affected?
We have performed a thorough investigation and found no HubSpot products or customer-facing tools which make use of Log4j2.
Since we became aware of the vulnerability, HubSpot has taken a number of steps to identify and mitigate any risk in our products to our customers. We have implemented:
We have requested details of any potential vulnerabilities from all sub-processors of the HubSpot product, and are monitoring their responses. HubSpot’s most important sub-processors, including Amazon Web Services , Google Cloud, Cloudflare, and Snowflake were either not vulnerable, or have already begun patching the vulnerability across their networks.
HubSpot Corporate Security, which monitors the internal tools that HubSpot employees use, is systematically reviewing each HubSpot Corporate internal system. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.
We will continue to investigate any potential exposure to this vulnerability and alert our customers as required. At this time, HubSpot customers do not need to take any action related to their use of HubSpot software.
If you have specific questions related to this event, please contact HubSpot Support.