Onshape response to the log4j security vulnerability
Incident Report for Onshape
The Onshape Security team continues to monitor the situation and work with our vendors to make sure they maintain their vigilance. There were no exploitable vulnerabilities discovered in the Onshape service. Further updates will be posted on the Onshape forums at https://forum.onshape.com/discussion/17295/onshape-response-to-the-log4j-security-vulnerability#latest
Posted Jan 03, 2022 - 09:55 EST
The Onshape Security Team has been following the rapid progression of the log4j vulnerability since last Friday. We have also added automated scanning tools to the manual inspection being performed by our team.

Onshape continues to have no known exploitable issues. An internal service was updated over the weekend to remove a potential vulnerability out of an abundance of caution.

Since Saturday, Onshape has been reaching out to all of our critical vendors to understand if they are vulnerable and what they are doing for mitigations. At this point, there are no known exploits, but we will continue to work with our vendors as their investigations progress.

There is still no action needed by our customers. The Onshape Security Team continues to monitor the situation as it continues to develop and will provide updates here if any important changes occur.
Posted Dec 14, 2021 - 20:40 EST
Many of you may have heard about the recently announced, serious security vulnerability in a widely-used Java logging package called log4j.

This issue potentially impacts products and services everywhere. Desktop systems, embedded systems, mobile devices, cloud services, and enterprise software are all potentially vulnerable.

The Onshape Security Team has been actively investigating any potential impact of this vulnerability since early Friday morning. No exploitable issues in Onshape have been discovered, but this is a very serious bug and we continue to investigate.

Technical details of the vulnerability can be found here: https://www.lunasec.io/docs/blog/log4j-zero-day/

There is no action any of our customers need to take at this time. We will continue to provide updates as more information becomes available. As always, we strive to be as transparent as possible with the Onshape community.

Onshape Security Team
Posted Dec 11, 2021 - 10:35 EST