Troubleshooting - General

Recently, security researchers identified three remote code execution (RCE) vulnerabilities related to the Spring Framework (CVE-2022-22965, CVE-2022-22963, CVE-2022-22947). In addition, there is a fourth DoS vulnerability with Spring that has medium criticality, CVE-2022-22950.

Since these issues were first discovered, Udemy’s Security team has been working diligently to review and protect Udemy’s systems. At this point, there are no indicators that these vulnerabilities have negatively affected any company or personal data.

For high-risk, high-impact vulnerabilities such as these, our teams take a number of immediate steps, including testing to confirm levels of vulnerability, restricting network connections, and applying software or system updates or workarounds where necessary. Our Security and Engineering teams will monitor our environment, critical sub-processors, and vendors for instances of these vulnerabilities, attempted attacks, and notices from our contracted third parties.

As we obtain additional information, we will provide updates through this page. Our Security team is working diligently to ensure our systems are safeguarded as security researchers’ recommendations evolve, so we’re currently unable to provide custom responses. For detailed information on our response approach, please refer to the frequently asked questions below. 

Have you updated to a safer version of Spring Framework?

In each case where vulnerable versions of Spring Framework or related offerings were previously in use, we undertake careful remediation efforts, such as upgrading to a recommended newer version or implementing recommended workarounds. We have also adjusted our layered defenses to protect our systems more globally.

When will the remediation be complete?

Udemy’s Security team is monitoring recommendations from security experts and vendors as the Spring Framework vulnerabilities attack patterns evolve, and our remediation and mitigation efforts will continue as these recommendations are shared.  

Has customer data been compromised?

At this point, there are no indicators that this vulnerability has negatively affected any company or personal data. 

Are you asking third-party vendors used in your environment about the impact of Spring Framework on them?

Udemy has reached out to key Udemy Business subprocessors, and we apply updates to tooling as our vendors release them. 

If your users access their Udemy Business accounts through your company’s network, your organization’s IT may need to allowlist several domains and subdomains to ensure some features operate correctly. 

This article outlines which domains and subdomains may need to be allowlisted for certain, Udemy Business features.

Allowlisting content (video streaming)

If your users experience significantly degraded performance (i.e., playback delays) while streaming videos and viewing content through your company’s network, the video streaming domain Udemy Business utilizes should be allowlisted.

To ensure your users can view Udemy Business content without any issues, please have your organizations’ IT allowlist the following video streaming domain on your network firewalls/gateways: *.udemycdn.com.

Still encountering streaming issues? If the problem persists after your organization’s IT has allowlisted this domain, please advise your users still encountering the issue to reach out to Udemy Business Support and have them provide our team a HAR file. The information in the HAR file will help our engineers in determining what the issue is so they can start working on a resolution.

Allowlisting emails

If your company's firewalls are generally restrictive (certain commonly used sites are blocked), you will need to allowlist the following email sending domains and all of their subdomains from Udemy for Business to ensure the delivery of invitation, password reset, and other important emails.

• a) *.udemy.com 
• b) *.udemymail.com

Important: please be sure to verify with your email service provider what the correct method is for allowlisting all subdomains on a given domain, as this can vary by provider. If the subdomains aren’t allowlisted properly, then the delivery of emails from Udemy Business from these domains may be blocked.

Allowlisting report downloads

If your company's firewalls are generally restrictive (certain commonly used sites are blocked), you will need to allowlist the following site to ensure reports can be downloaded successfully.

• *amazon.com

Allowlisting labs and workspaces (Udemy Business Pro users)

Udemy Business Pro users who access Udemy Business from inside their company's network, will need their organization's IT to allowlist the following domains to ensure workspaces and labs work correctly.

• *.udemy.com
• *.udemycdn.com
• *.udemylabs.com
• *.vocareum.com
• *.amazon.com

Allowlist entries for Azure

Allowlist entries that Microsoft recommends for Azure can be reviewed in this Microsoft resource.

Recently, security researchers identified a remote code execution (RCE) vulnerability (CVE-2021-44228) affecting Apache’s Log4J tool, a Java-based logging utility used by a wide variety of software providers.

Since this issue was first discovered, Udemy’s Security team has been working diligently to review and protect Udemy’s systems. At this point, there are no indicators that this vulnerability has negatively affected any company or personal data. We continue to investigate the impact of this vulnerability across our infrastructure and applications. 

For high-risk, high-impact vulnerabilities such as this, our teams take a number of immediate steps, including testing to confirm levels of vulnerability, restricting network connections, and applying software or system updates or workarounds where necessary. Our Security and Engineering teams will monitor our environment, critical sub-processors, and vendors for instances of this vulnerability, attempted attacks, and notices from our contracted third parties.

As we obtain additional information, we will provide updates through this page. Our Security team is working diligently to ensure our systems are safeguarded as security researchers’ recommendations evolve, so we’re currently unable to provide custom responses. For detailed information on our response approach, please refer to the frequently asked questions below. 

Have you updated to a safer version of Log4J (2.0-2.14.1) ?

In each case where vulnerable versions of Log4J were previously in use, we have undertaken careful remediation efforts, such as upgrading to a recommended newer version or implementing recommended workarounds. We have also adjusted our layered defenses (e.g., adding additional restrictions on inbound and outbound network connections) to protect our systems more globally.

When will the remediation be complete?

Udemy’s Security team is monitoring recommendations from security experts and vendors as the Log4J vulnerability attack patterns evolve, and our remediation and mitigation efforts will continue as these recommendations are shared.  

Has customer data been compromised?

At this point, there are no indicators that this vulnerability has negatively affected any company or personal data. 

Are you asking third-party vendors used in your environment about the impact of Log4J on them?

Udemy has reached out to vendors, and has applied updates to tooling as our vendors release them. We are also monitoring aggregated lists from security experts to ensure we respond to other recommended security mitigations on a tool-by-tool basis. 

If your users are unable to log in after being invited into your Udemy Business account, first have them reset their password. If that does not work, ask the affected user to submit a support ticket, and a member of our Support Team will respond within 24 hours.

If you have set up Single Sign On (SSO) for Udemy Business, please contact your organization’s IT department to ensure users have been given access to Udemy Business via your SSO provider.

If your company's firewalls are generally restrictive (certain commonly used sites are blocked), you will need to allowlist the emails from Udemy to ensure operation of the password reset function. Learn more about allowlisting the email sending domains and subdomains for Udemy Business.