Zoom Security Bulletin for Apache Log4j Disclosures

Last updated: Jan 14, 2022 at 3:55 pm PST

Summary

Zoom has been analyzing our products and services to identify and mitigate Apache Log4j vulnerabilities disclosed in CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Zoom continues to mitigate and patch vulnerable versions of Log4j in accordance with Apache’s recommendations. We plan to update identified vulnerable Log4j instances with the latest available version as they become available and following testing.

Addressing these vulnerabilities is a top priority for Zoom. We are closely monitoring the situation and working diligently to resolve it as soon as possible. This page will be updated as material information becomes available.

Based on our findings to date, we’ve outlined below the current status of Zoom products and services.

Zoom Products and Services

Status

Zoom Meetings, Zoom Events, Zoom Webinars, OnZoom

Zoom clients for Windows, Mac, Linux, iOS, Android, BlackBerry, VDI (and VDI plug-in), and web clients do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom’s Production Backend (excluding Third-Party Commercial Software)*

Zoom’s production backend (excluding third-party commercial software) has been updated to Log4j version 2.16.0 as the minimum version or mitigated to address the issues identified in CVE 2021-44228 and CVE-2021-45046. Zoom conducted an assessment of the issues in CVE-2021-44832 and CVE-2021-45105 and determined our production backend is not vulnerable due to the conditions required for exploitation.

Zoom’s Production Backend Third-Party Commercial Software

We are in the process of assessing the situation with our third-party commercial software vendors. We have and plan to continue applying any updates as they become available.
Zoom’s core third-party software vendors have been updated or mitigated.

Zoom for Government

Zoom clients for Windows, Mac, Linux, iOS, Android, BlackBerry, VDI (and VDI plug-in), and web clients do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom Phone

Zoom Phone clients do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom Rooms and Zoom for Home

Zoom Rooms and Zoom for Home clients do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom Team Chat

Zoom Team Chat clients do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom Marketplace

For our backend, we have applied Apache's recommended mitigations and updated any systems identified to date to Log4j version 2.16.0 as the minimum version. No action is required by users at this time.

Zoom Developer Platform APIs & SDKs

Zoom SDKs do not use the vulnerable versions of Log4j.

No action is required by users at this time.

Zoom On-Premises Deployment

The Zoom Hybrid MMR, VRC, Meeting Connector, API Connector, and Recording Connector do not use the vulnerable versions of Log4j.

Services Provided by Third Parties

We are in the process of assessing the situation with our third parties.

Device Partners for Zoom Phone and Zoom Rooms

Our device partners for Zoom Phone and Zoom Rooms have confirmed that they are not impacted.

Zoom Apps

Our third-party Zoom Apps developers have confirmed that any Zoom App using a vulnerable version of Log4j has been updated or mitigated.

Editor’s note: This bulletin was edited on Jan. 14, 2022 to include the most up-to-date information on Zoom’s response to the CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 vulnerabilities.