Nativo
Sponsored Content

The world's largest library of brand-approved brand-voiced content. Get the official word from companies on their brands, products, events, and more. Do research, get informed, and hear it all directly from the brands you care about.

SecurityIncident ResponsePrivacyPlatform StatusPress

Log4Shell Vulnerability And The Nativo Platform

Nativo
Log4Shell Vulnerability And The Nativo Platform

Frequently Asked Questions

Was any customer data compromised in the Log4Shell incident?

Initial findings indicate it’s unlikely any data was compromised. Nativo identified possible unauthorized access to a small number of segregated servers for a limited 24-hour window, but there are no confirmed data breaches at this time.

What types of data may have been at risk?

Data on the potentially affected servers may have included User Profile Records, reference data tied to Cookie IDs or Mobile Advertising IDs, and transactional log records (six hours of activity) such as timestamp, cookie/advertising ID, user agent, IP address, browser language, page visited, referring page, and key/value records.

What actions did Nativo take in response to Log4Shell?

Nativo implemented Apache’s initial patch and then applied subsequent updates when Apache released a second, more complete patch. Affected servers were shut down as part of operations, upgraded to a newer Log4j version, and replaced. All vulnerable systems were remediated and rigorously tested.

How can I get more information or ask questions?

If you have questions about the Log4Shell vulnerability or Nativo’s response, contact privacy@nativo.com.

AI-Generated Summary70-80% of original length
Original Article

UPDATE: Initial findings around the Log4Shell vulnerability and the Nativo Platform have determined that it’s unlikely any data was compromised. All systems have been updated to the latest log4j patch and have been rigorously tested.

On December 10, 2021, a vulnerability, dubbed Log4Shell, in the commonly used Apache Log4j library was disclosed to the public (CVE-2021-44228). Apache issued a first patch for the vulnerability, which Nativo implemented, but this update proved to be incomplete, leaving our systems vulnerable for several days until Apache issued a second update.

We found evidence of possible unauthorized access to a small number of servers during a 24-hour period occurring between the deployment of the two provided patches. The servers potentially involved were located in a separate Virtual Private Cloud that is segregated from our main system. The data stored on these servers that may have been at risk includes User Profile Records, reference data tied to a Cookie ID or Mobile Advertising ID, and transactional data from Log Records (covering 6 hours activity) describing details about a user session and ad impression, including:

  • Timestamp.
  • Cookie ID or Mobile Advertising ID (as applicable).
  • User agent (device, browser, etc.).
  • IP address.
  • Browser language.
  • Page visited.
  • Referring page.
  • Key/value records.

More information on these data types can be found in our Privacy Policy.

By the time this activity was identified, the affected servers were already shut down as part of normal operations. All servers were quickly upgraded to a newer version of Log4j and all vulnerable systems were replaced. At the moment, there are no known vulnerabilities in our systems and no new exploit attempts have been identified.

We’ll continue to monitor the issue closely. If you have any questions concerning the Log4Shell vulnerability or Nativo’s response, please send a note to privacy@nativo.com.

Share this article

Share on Twitter Share on LinkedIn