Healthjump is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). Healthjump’s software, including our agent and data pipelines, are not Java applications, therefore are not vulnerable. However, Healthjump relies on a number of services provided by our cloud hosting vendor AWS. Currently, the services reported by AWS that are utilized by Healthjump have been patched or are unaffected by CVE-2021-44228.
Below are the AWS services Healthjump utilizes and AWS’s latest updates:
Amazon S3
Amazon S3 completed patching for the Apache Log4j2 issue (CVE-2021-44228) for S3’s data ingress and egress on 2021/12/11. We have also completed patching all other S3 systems that used Log4j2.
Redshift
Amazon Redshift clusters have been automatically updated on 2021/12/15 3:30 PM PST to mitigate the issues identified in CVE-2021-44228.
Amazon RDS
Amazon RDS and Amazon Aurora are actively addressing all service usage of Log4j2 by applying updates. RDS-built relational database engines do not include the Apache Log4j2 library.
EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.
Elastic Load Balancing
Elastic Load Balancing services have been updated to mitigate the issues identified in CVE-2021-44228. All Elastic Load Balancers, as well as Classic, Application, Network, and Gateway, are not written in Java and therefore were not affected by this issue.
Please be aware that all PHI transmitted to and/or stored by Healthjump in AWS services are encrypted at-rest and in-transit (Healthjump Agent Security - Encryption), in the unlikely event AWS does experience a data breach as a result of CVE-2021-44228 or similar vulnerability, PHI would not be at risk of disclosure. If you have additional questions or concerns, email Healthjump at support@healthjump.com, or reach out to your Client Success Manager.