Over the weekend of 12-11-2021, Hopin became aware of a critical vulnerability affecting l4j2 - a ubiquitous, Java logging library used in thousands of projects worldwide. No evidence of any attempted exploitation against Hopin has been found and no customers have been affected.
The vulnerability has been assigned to CVE-2021-44228(1) and given a CVSS score of 10/10(2). In response, Hopin immediately performed extensive analysis of WALs (Web Access Logs), its CDN providers, all source code repositories and other security instrumentation.
Hopin does not use Java as a primary development language, so the effect of this vulnerability on Hopin’s critical services is extremely limited. We identified 5 internal support systems which have l4j2 as a dependency, all of which have been patched or are otherwise unaffected by the vulnerability.
We are actively working with our cloud and managed service providers to ensure that indirect dependencies are also identified, tracked and remediated.
Hopin’s infrastructure is primarily hosted on AWS who have announced(3) they are actively patching any services which run a vulnerable version of log4j2.
The security of our systems, and the trust and safety of our customers, are Hopin’s highest priorities and we will continue to work diligently to ensure that our users’ privacy is protected.