In response to the ongoing CVEs related to log4j vulnerabilities, Demandbase has taken the following actions. For environments using version 2.10 or later where immediate updating is not possible, the vulnerability has been mitigated by either removing the library or removing the JndiLookup class from the classpath in all areas.
Additionally, we have taken steps to mitigate the issue using firewall updates. Demandbase is also in the process of reviewing our vendors to verify their mitigation strategies. There has been no evidence of compromise prior to or since mitigation steps have been taken. No customer action is required at this time.
For more information, see CVE-2021-44228 and CVE-2021-45046
Security is of utmost importance to Demandbase as we continue to maintain your trust.