Update for Apache Log4j2 Issue
Incident Report for Intercom
Update [22 Dec 2021 16:30 UTC]

We have completed follow-up with our affected vendors. All customer facing internal & third party systems have been identified and mitigations are in place.

We have completed our investigation of previously vulnerable systems and found no evidence of compromise.

We are concluding this issue as resolved.
Posted Dec 22, 2021 - 16:38 UTC
We have hardened and/or patched affected systems and are continuing to follow up with our software vendors for updates. In the meantime, we have introduced improved detective and preventative measures to protect against any exploitation in our environment.

Our investigation of previously vulnerable systems has revealed no compromise has taken place.

We are currently investigating whether any further patches or measures are required in light of the emergence of the related CVE-2021-45046 vulnerability.
Posted Dec 15, 2021 - 11:20 UTC
Intercom is aware of the security issue relating to the open-source Apache “Log4j2" utility .

Log4j is a Java-based logging utility found in a wide number of software products.

The CVE-2021-44228 vulnerability (aka the “Log4Shell” vulnerability) was disclosed by the Apache Log4j project. If exploited, this vulnerability could potentially allow a remote attacker to execute code on the server.

Once this vulnerability was publicly disclosed on the 9th December 2021, Intercom promptly began an audit of all our software, infrastructure, as well as engaging with our software vendors to determine potential impact. Thus far, while our exposure to the vulnerability has been minimal, we began to put remediations in place through a combination of software updates and systems hardening.

If Intercom becomes aware of any unauthorized access to customer data, we will notify impacted customers without undue delay.
This page will be updated over the coming days as more information becomes available.
Posted Dec 13, 2021 - 17:12 UTC