Twilio’s Response to the Log4J Vulnerability

Twilio’s Response to the Log4J Vulnerability

Twilio believes that the security of our products and our customers’ data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it. To that end, we wanted to provide an overview of our response to the recently discovered zero-day vulnerability in the Java logging library Log4j.

What happened?

On December 9, 2021, Apache publicly disclosed a remote code execution (RCE) vulnerability (CVE-2021-44228) in its popular Java logging library, Log4j. Upon identification of the security advisory, Twilio began its security incident response process to evaluate the potential impact to Twilio, inclusive of its SendGrid and Segment products as well as its subsidiaries, and promptly begin steps to remediate any exposure.

What have we done?

Our subsequent investigation evaluated and identified usage of the affected Log4j versions in the Twilio environment. Twilio is currently working to remediate, through patching, those affected Log4j versions as quickly as possible.

While that process is ongoing, our security team has set up detective and preventive controls to protect against exploitation of our environment. As of the time of posting, we have not discovered any instances of exploitation of this vulnerability within our environment. If Twilio becomes aware of unauthorized access to our environment, we will notify impacted customers without unnecessary delay.

Next Steps

The Twilio Security Incident Response Team will post any updates here if there are any changes. If you have further questions, please reach out to your customer support partner or our Support team.

Update 12/15/2021

Twilio continues to follow our vulnerability management process in patching affected usages of Log4j to address the Apache Log4j2 vulnerability referenced in CVE-2021-44228. We expect patching to be complete within our patching SLA for critical vulnerabilities of 7 days.

Twilio is also aware of an additional security advisory indicating that the fix to address CVE-2021-44228 in Log4j 2.15.0 was incomplete in certain non-default configurations. Twilio is evaluating the potential impact of this advisory and following remediation processes. The Twilio Security Incident Response Team will post any updates here as necessary.

Update 12/16/2021

Twilio continues to follow our vulnerability management process in patching affected usages of Log4j to address the Apache Log4j2 vulnerability referenced in CVE-2021-44228. Thus far, Twilio has patched all customer-facing services to Apache Log4j version 2.15.0. The few remaining non-customer facing vulnerable services are actively being patched, with preventive and detective controls in place to mitigate against potential exploitation.

Twilio is aware of the additional risks noted in CVE-2021-45046 and has prioritized patching to Apache Log4j version 2.16.0 without undue delay once fully patched to version 2.15.0.

Twilio is performing an assessment of our third parties and verifying with critical partners, including our sub-processors, to determine the extent to which they are impacted by the Log4j vulnerability and the steps they have taken toward remediation, to ensure that any personal data they process on our behalf remains protected to the standard we have committed to.

At present, there are no actions required by Twilio customers. If this changes, Twilio will inform all affected customers without undue delay.

Twilio will forego further updates on this blog post unless there are major updates requiring notification. If you have further questions, please reach out to your customer support partner or our Support team.

Update 12/17/2021

In light of new information associated with CVE-2021-45046, Twilio has increased efforts to patch all affected services to version 2.16.0. We expect patching to be complete within our patching SLA for critical vulnerabilities of 7 days.

While that process is ongoing, Twilio’s security team continues to maintain additional detective and preventive controls to dynamically protect against exploitation of our environment.

These include, but are not limited to, the monitoring for indicators of compromise within our environment (24x7), monitoring for signals indicative of a threat actor interacting within a compromised system or service (24x7), and implementing near real-time threat intelligence through high-fidelity feeds provided by industry leaders in order to further enhance our monitoring and investigative efforts, and dynamically update the rulesets on our various tools.

At present, there are no actions required by Twilio customers. If this changes, Twilio will inform any affected customers without undue delay.

Update 12/18/2021

Twilio continues to follow our vulnerability management process in patching affected usages of Log4j to address the Apache Log4j2 vulnerability referenced in CVE-2021-45046.

Twilio is also aware of an additional security advisory indicating that under certain configurations, Apache Log4j versions through 2.16.0 are vulnerable to being exploited by malicious actors to stage a denial-of-service (DoS) attack. Twilio is evaluating the potential impact of this advisory and following applicable remediation processes.

While that process is ongoing, Twilio’s security team continues to maintain detective and preventive controls to dynamically protect against exploitation of our environment.

At present, there are no actions required by Twilio customers. If this changes, Twilio will inform any affected customers without undue delay.

Update 12/21/2021

As part of our vulnerability management process, Twilio is continuing to work to remediate the vulnerability announced in CVE-2021-45046. Thus far, Twilio has remediated all affected customer-facing services appropriately.

In addition, we have assessed the vulnerability announced in CVE-2021-45105 and determined that due to conditions that must exist for this vulnerability to be exploitable and current protective measures in place to mitigate against exploitation, remediation efforts will continue as per our standard vulnerability management process.

Currently, there are no actions required by Twilio customers. However, due to the dynamic and fluid nature of the situation, Twilio continues to monitor for any relevant developments and will update accordingly.

Update 12/28/2021

Twilio is aware of an additional security advisory indicating that under certain configurations, Apache Log4j versions through 2.17.0 are vulnerable to exploitation through a remote code execution (RCE) attack.

Twilio security has conducted an assessment of the vulnerability, also known as CVE-2021-44832, and determined that due to the conditions that must exist for this vulnerability to be exploitable and current protective measures in place to mitigate against exploitation, remediation efforts will follow our standard vulnerability management process.

At this time, no action is required by Twilio customers. As noted previously, the situation remains fluid and Twilio will continue to monitor developments related to Log4j vulnerabilities and respond accordingly.

Update 1/24/2022

Twilio has fully remediated the Log4j vulnerability. All affected Twilio services have been patched to address the issues currently identified in CVE-2021-44228 , CVE-2021-44832, CVE-2021-45105 and CVE-2021-45046. Twilio will continue to monitor for further developments related to Log4j vulnerabilities and respond accordingly.