Log4j is a common Java-based, open-source package maintained by the Apache Software Foundation. Many consumer-facing products and services use Log4j to record activities in a wide range of systems. Recently, a serious vulnerability (CVE-2021-44228 and CVE-2021-45046) was disclosed, posing severe risk to millions of consumer applications.
Energy Sensei does not use Java as a programming language and as a result this vulnerability did not affect the consumer facing application. However, we did find that a database service we use from Amazon Web Service used the version of Log4j affected by this vulnerability. As soon as Amazon Web Services made a patch available, we applied the patch to mitigate this vulnerability.
As a matter of good practice, we work to eliminate or reduce paths through which bad actors can pass bad content into the system. We also have a robust vulnerability management system, where we emphasize proactive security through patch management and regular security assessments.
We will continue to evaluate our systems for vulnerabilities regularly. We are committed to keeping your data secure and meeting our service level agreements. We employ industry best practices to secure your data both in transit and at rest. For more information, see our statement on Data Security.