This page provides details on Twingate’s response to the high severity vulnerabilities (CVE-2021-44228 and CVE-2021-45046) impacting multiple versions of the Apache Log4j 2 library.

Twingate services impact

We believe our own code is not impacted by the vulnerabilities. We are monitoring updates from our service providers to understand if their services have been affected by these vulnerabilities and will take action if there is any resulting impact to our services. Based on current information, we do not believe any aspect of our services to our customers is affected by these vulnerabilities.

Detail

High-severity vulnerabilities (CVE-2021-44228 and CVE-2021-44228) impacting multiple Apache Log4j 2 versions was disclosed publicly on December 9, 2021 and December 14, 2021. The vulnerabilities impact Apache Log4j 2 versions 2.0 to 2.14.1 and also 2.15.0. Some related vulnerabilities might also impact Apache Log4j 1.

A security investigation to determine whether there was any impact on Twingate or our customers has been conducted. So far, our security testing has not identified any exploitable RCEs against any Twingate products. Twingate does not use Log4j in any of the following software and the vulnerabilities do not exist in:

• Connector
• Windows Client
• macOS Client
• Linux Client
• iOS Client
• Android Client