Foxit eSign – Statement Addressing the Log4j 2 Vulnerability

On December 9th, 2021, Foxit eSign was notified of the Log4j 2 vulnerability, also referred to as LogJam or Log4Shell. Our team took swift and immediate action to mitigate any risk for our users, including application of the patch to resolve the situation as soon as it became available – patch Log4j 2.16. We have determined that no compromises were or are currently present within our software or for any of our users as a result of this activity.

We are committed to the security of our product, the privacy of our user’s data, and the transparency of our communication. For these reasons, we have strict measures in place to monitor and prevent any security breaches, as well as to implement immediate preventative and mitigative action when needed.

Our team of security experts will continue to monitor the Log4j 2 vulnerability as it develops, including implementation of heightened surveillance of any and all suspicious activity, and take any necessary actions promptly as deemed necessary and as recommended by the Cybersecurity & Infrastructure Security Agency (CISA).

What is Log4j 2?

Developed by the Apache Software Foundation, Log4j is a Java-based logging software that records events, software runs, and communications between a particular system and its users. Log4j 2 is the most recently updated version of the Apache logging software.

The security vulnerability identified with the latest Log4j 2 update could potentially allow hackers the ability to institute control over log messages and parameters, which could lead to malicious behavior and the execution of arbitrary code.

More information on the Log4j 2 vulnerability can be found here on Apache’s website and on the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) here.

What is Foxit eSign doing to prevent any security risks or malicious acts from occurring as a result of the Log4j 2 vulnerability?

Our security team’s efforts regarding the Log4j 2 vulnerability are ongoing. So far, we have performed the following actions as determined necessary by our team and by recommendation of CISA:

• Updated Log4j 2 parameters as soon as we learned about the vulnerability
• Updated all staging and production servers to the latest Log4j 2.16 patch released on 12/14/2021
• Confirmed with all service vendors our application utilizes that necessary preventative measures have been taken

What steps will Foxit eSign continue to take in response to the Log4j 2 vulnerability?

Ongoing concentrated efforts are required at this time in response to the Log4j 2 vulnerability. We will continue to monitor the situation as it progresses and take the following actions as needed:

• Apply any available vendor patches as they become available
• Monitor any and all security bulletins as they are released
• Limit any new exploitations or vulnerabilities by continuing to implement strong network controls and firewalls
• Continue communications with our vendors to ensure no potentially vulnerable versions of Log4j 2 are present in their software
• Maintain transparency with users and provide communication on any pertinent changes or updates

As a user of Foxit eSign, am I or my business currently at risk from the Log4j 2 vulnerability?

Since learning of the vulnerability, Foxit eSign has implemented strict monitoring of the situation and all potential risk factors. We have determined that there are currently no compromises to our software or to any of our user’s data or usage of our application.

We encourage our customers and vendors to assess individual endpoint implementations for the use of the Log4j software; this includes any third-party software.