Log4Shell Vulnerability And The Nativo Platform

UPDATE: Initial findings around the Log4Shell vulnerability and the Nativo Platform have determined that it’s unlikely any data was compromised. All systems have been updated to the latest log4j patch and have been rigorously tested.

On December 10, 2021, a vulnerability, dubbed Log4Shell, in the commonly used Apache Log4j library was disclosed to the public (CVE-2021-44228). Apache issued a first patch for the vulnerability, which Nativo implemented, but this update proved to be incomplete, leaving our systems vulnerable for several days until Apache issued a second update.

We found evidence of possible unauthorized access to a small number of servers during a 24-hour period occurring between the deployment of the two provided patches. The servers potentially involved were located in a separate Virtual Private Cloud that is segregated from our main system. The data stored on these servers that may have been at risk includes User Profile Records, reference data tied to a Cookie ID or Mobile Advertising ID, and transactional data from Log Records (covering 6 hours activity) describing details about a user session and ad impression, including:

• Timestamp.
• Cookie ID or Mobile Advertising ID (as applicable).
• User agent (device, browser, etc.).
• IP address.
• Browser language.
• Page visited.
• Referring page.
• Key/value records.

More information on these data types can be found in our Privacy Policy.

By the time this activity was identified, the affected servers were already shut down as part of normal operations. All servers were quickly upgraded to a newer version of Log4j and all vulnerable systems were replaced. At the moment, there are no known vulnerabilities in our systems and no new exploit attempts have been identified.

We’ll continue to monitor the issue closely. If you have any questions concerning the Log4Shell vulnerability or Nativo’s response, please send a note to privacy@nativo.com.

‍