Recently, security researchers identified a remote code execution (RCE) vulnerability (CVE-2021-44228) affecting Apache’s Log4J tool, a Java-based logging utility used by a wide variety of software providers.
Since this issue was first discovered, Udemy’s Security team has been working diligently to review and protect Udemy’s systems. At this point, there are no indicators that this vulnerability has negatively affected any company or personal data. We continue to investigate the impact of this vulnerability across our infrastructure and applications.
For high-risk, high-impact vulnerabilities such as this, our teams take a number of immediate steps, including testing to confirm levels of vulnerability, restricting network connections, and applying software or system updates or workarounds where necessary. Our Security and Engineering teams will monitor our environment, critical sub-processors, and vendors for instances of this vulnerability, attempted attacks, and notices from our contracted third parties.
As we obtain additional information, we will provide updates through this page. Our Security team is working diligently to ensure our systems are safeguarded as security researchers’ recommendations evolve, so we’re currently unable to provide custom responses. For detailed information on our response approach, please refer to the frequently asked questions below.
Have you updated to a safer version of Log4J (2.0-2.14.1) ?
In each case where vulnerable versions of Log4J were previously in use, we have undertaken careful remediation efforts, such as upgrading to a recommended newer version or implementing recommended workarounds. We have also adjusted our layered defenses (e.g., adding additional restrictions on inbound and outbound network connections) to protect our systems more globally.
When will the remediation be complete?
Udemy’s Security team is monitoring recommendations from security experts and vendors as the Log4J vulnerability attack patterns evolve, and our remediation and mitigation efforts will continue as these recommendations are shared.
Has customer data been compromised?
At this point, there are no indicators that this vulnerability has negatively affected any company or personal data.
Are you asking third-party vendors used in your environment about the impact of Log4J on them?
Udemy has reached out to vendors, and has applied updates to tooling as our vendors release them. We are also monitoring aggregated lists from security experts to ensure we respond to other recommended security mitigations on a tool-by-tool basis.